chore: move celexceptions to the new group (#12143)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

Makefile

@@ -517,6 +517,14 @@ codegen-crds-kyverno: $(CONTROLLER_GEN)
 	@rm -rf $(CRDS_PATH)/kyverno && mkdir -p $(CRDS_PATH)/kyverno
 	@GOPATH=$(GOPATH_SHIM) $(CONTROLLER_GEN) paths=./api/kyverno/v1/... paths=./api/kyverno/v1beta1/... paths=./api/kyverno/v2/... paths=./api/kyverno/v2alpha1/... paths=./api/kyverno/v2beta1/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=$(CRDS_PATH)/kyverno
 
+.PHONY: codegen-crds-policies
+codegen-crds-policies: ## Generate policies CRDs
+codegen-crds-policies: $(PACKAGE_SHIM)
+codegen-crds-policies: $(CONTROLLER_GEN)
+	@echo Generate policies crds... >&2
+	@rm -rf $(CRDS_PATH)/policies.kyverno.io && mkdir -p $(CRDS_PATH)/policies.kyverno.io
+	@GOPATH=$(GOPATH_SHIM) $(CONTROLLER_GEN) paths=./api/policies.kyverno.io/v1alpha1/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=$(CRDS_PATH)/policies.kyverno.io
+
 .PHONY: codegen-crds-policyreport
 codegen-crds-policyreport: ## Generate policy reports CRDs
 codegen-crds-policyreport: $(PACKAGE_SHIM)
@@ -542,7 +550,7 @@ codegen-crds-cli: $(CONTROLLER_GEN)
 	@GOPATH=$(GOPATH_SHIM) $(CONTROLLER_GEN) paths=./cmd/cli/kubectl-kyverno/apis/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=${PWD}/cmd/cli/kubectl-kyverno/config/crds
 
 .PHONY: codegen-crds-all
-codegen-crds-all: codegen-crds-kyverno codegen-crds-policyreport codegen-crds-reports codegen-cli-crds ## Generate all CRDs
+codegen-crds-all: codegen-crds-kyverno codegen-crds-policyreport codegen-crds-reports codegen-crds-policies codegen-cli-crds ## Generate all CRDs
 
 .PHONY: codegen-helm-docs
 codegen-helm-docs: ## Generate helm docs
@@ -586,14 +594,15 @@ codegen-cli-docs: $(CLI_BIN) ## Generate CLI docs
 .PHONY: codegen-cli-crds
 codegen-cli-crds: ## Copy generated CRDs to embed in the CLI
 codegen-cli-crds: codegen-crds-kyverno
+codegen-cli-crds: codegen-crds-policies
 codegen-cli-crds: codegen-crds-cli
 	@echo Copy generated CRDs to embed in the CLI... >&2
 	@rm -rf cmd/cli/kubectl-kyverno/data/crds && mkdir -p cmd/cli/kubectl-kyverno/data/crds
 	@cp config/crds/kyverno/kyverno.io_clusterpolicies.yaml cmd/cli/kubectl-kyverno/data/crds
 	@cp config/crds/kyverno/kyverno.io_policies.yaml cmd/cli/kubectl-kyverno/data/crds
 	@cp config/crds/kyverno/kyverno.io_policyexceptions.yaml cmd/cli/kubectl-kyverno/data/crds
-	@cp config/crds/kyverno/kyverno.io_celpolicyexceptions.yaml cmd/cli/kubectl-kyverno/data/crds
+	@cp config/crds/policies.kyverno.io/policies.kyverno.io_celpolicyexceptions.yaml cmd/cli/kubectl-kyverno/data/crds
-	@cp config/crds/kyverno/kyverno.io_validatingpolicies.yaml cmd/cli/kubectl-kyverno/data/crds
+	@cp config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml cmd/cli/kubectl-kyverno/data/crds
 	@cp cmd/cli/kubectl-kyverno/config/crds/* cmd/cli/kubectl-kyverno/data/crds
 
 .PHONY: codegen-docs-all
@@ -631,15 +640,16 @@ codegen-helm-crds: codegen-crds-all ## Generate helm CRDs
 	@rm -rf ./charts/kyverno/charts/crds/templates/kyverno.io && mkdir -p ./charts/kyverno/charts/crds/templates/kyverno.io
 	@rm -rf ./charts/kyverno/charts/crds/templates/reports.kyverno.io && mkdir -p ./charts/kyverno/charts/crds/templates/reports.kyverno.io
 	@rm -rf ./charts/kyverno/charts/crds/templates/wgpolicyk8s.io && mkdir -p ./charts/kyverno/charts/crds/templates/wgpolicyk8s.io
+	@rm -rf ./charts/kyverno/charts/crds/templates/policies.kyverno.io && mkdir -p ./charts/kyverno/charts/crds/templates/policies.kyverno.io
 	$(call generate_crd,kyverno.io_cleanuppolicies.yaml,kyverno,kyverno.io,kyverno,cleanuppolicies)
 	$(call generate_crd,kyverno.io_clustercleanuppolicies.yaml,kyverno,kyverno.io,kyverno,clustercleanuppolicies)
 	$(call generate_crd,kyverno.io_clusterpolicies.yaml,kyverno,kyverno.io,kyverno,clusterpolicies)
 	$(call generate_crd,kyverno.io_globalcontextentries.yaml,kyverno,kyverno.io,kyverno,globalcontextentries)
 	$(call generate_crd,kyverno.io_policies.yaml,kyverno,kyverno.io,kyverno,policies)
 	$(call generate_crd,kyverno.io_policyexceptions.yaml,kyverno,kyverno.io,kyverno,policyexceptions)
-	$(call generate_crd,kyverno.io_celpolicyexceptions.yaml,kyverno,kyverno.io,kyverno,celpolicyexceptions)
 	$(call generate_crd,kyverno.io_updaterequests.yaml,kyverno,kyverno.io,kyverno,updaterequests)
-	$(call generate_crd,kyverno.io_validatingpolicies.yaml,kyverno,kyverno.io,kyverno,validatingpolicies)
+	$(call generate_crd,policies.kyverno.io_celpolicyexceptions.yaml,policies.kyverno.io,policies.kyverno.io,policies,celpolicyexceptions)
+	$(call generate_crd,policies.kyverno.io_validatingpolicies.yaml,policies.kyverno.io,policies.kyverno.io,policies,validatingpolicies)
 	$(call generate_crd,reports.kyverno.io_clusterephemeralreports.yaml,reports,reports.kyverno.io,reports,clusterephemeralreports)
 	$(call generate_crd,reports.kyverno.io_ephemeralreports.yaml,reports,reports.kyverno.io,reports,ephemeralreports)
 	$(call generate_crd,wgpolicyk8s.io_clusterpolicyreports.yaml,policyreport,wgpolicyk8s.io,wgpolicyk8s,clusterpolicyreports)

api/policies.kyverno.io/v1alpha1/policy_exception.go

@@ -0,0 +1,80 @@
+package v1alpha1
+
+import (
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+// +genclient
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PolicyException declares resources to be excluded from specified policies.
+type CELPolicyException struct {
+	metav1.TypeMeta   `json:",inline,omitempty"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec declares policy exception behaviors.
+	Spec CELPolicyExceptionSpec `json:"spec"`
+}
+
+func (p *CELPolicyException) GetKind() string {
+	return "CELPolicyException"
+}
+
+// Validate implements programmatic validation
+func (p *CELPolicyException) Validate() (errs field.ErrorList) {
+	errs = append(errs, p.Spec.Validate(field.NewPath("spec"))...)
+	return errs
+}
+
+// PolicyExceptionSpec stores policy exception spec
+type CELPolicyExceptionSpec struct {
+	// PolicyRefs identifies the policies to which the exception is applied.
+	PolicyRefs []PolicyRef `json:"policyRefs"`
+
+	// MatchConditions is a list of CEL expressions that must be met for a resource to be excluded.
+	// +optional
+	MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty"`
+}
+
+// Validate implements programmatic validation
+func (p *CELPolicyExceptionSpec) Validate(path *field.Path) (errs field.ErrorList) {
+	if len(p.PolicyRefs) == 0 {
+		errs = append(errs, field.Invalid(path.Child("policyRefs"), p.PolicyRefs, "must specify at least one policy ref"))
+	} else {
+		for i, policyRef := range p.PolicyRefs {
+			errs = append(errs, policyRef.Validate(path.Child("policyRefs").Index(i))...)
+		}
+	}
+	return errs
+}
+
+type PolicyRef struct {
+	// Name is the name of the policy
+	Name string `json:"name"`
+
+	// Kind is the kind of the policy
+	Kind string `json:"kind"`
+}
+
+func (p *PolicyRef) Validate(path *field.Path) (errs field.ErrorList) {
+	if p.Name == "" {
+		errs = append(errs, field.Invalid(path.Child("name"), p.Name, "must specify policy name"))
+	}
+	if p.Kind == "" {
+		errs = append(errs, field.Invalid(path.Child("kind"), p.Kind, "must specify policy kind"))
+	}
+	return errs
+}
+
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CELPolicyExceptionList is a list of Policy Exceptions
+type CELPolicyExceptionList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+	Items           []CELPolicyException `json:"items"`
+}

api/policies.kyverno.io/v1alpha1/policy_interface.go

@@ -0,0 +1,18 @@
+package v1alpha1
+
+import (
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +kubebuilder:object:generate=false
+type GenericPolicy interface {
+	metav1.Object
+	GetMatchConstraints() admissionregistrationv1.MatchResources
+	GetMatchConditions() []admissionregistrationv1.MatchCondition
+	GetFailurePolicy() admissionregistrationv1.FailurePolicyType
+	GetWebhookConfiguration() *WebhookConfiguration
+	GetVariables() []admissionregistrationv1.Variable
+	GetSpec() *ValidatingPolicySpec
+	GetStatus() *PolicyStatus
+}

api/policies.kyverno.io/v1alpha1/policy_status.go

@@ -1,6 +1,7 @@
 package v1alpha1
 
 import (
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -21,6 +22,23 @@ type PolicyStatus struct {
 
 	// +optional
 	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// +optional
+	Autogen AutogenStatus `json:"autogen"`
+}
+
+// AutogenStatus contains autogen status information.
+type AutogenStatus struct {
+	// Rules is a list of Rule instances. It contains auto generated rules added for pod controllers
+	Rules []AutogenRule `json:"rules,omitempty"`
+}
+
+type AutogenRule struct {
+	MatchConstraints *admissionregistrationv1.MatchResources   `json:"matchConstraints,omitempty"`
+	MatchConditions  []admissionregistrationv1.MatchCondition  `json:"matchConditions,omitempty"`
+	Validations      []admissionregistrationv1.Validation      `json:"validations,omitempty"`
+	AuditAnnotation  []admissionregistrationv1.AuditAnnotation `json:"auditAnnotations,omitempty"`
+	Variables        []admissionregistrationv1.Variable        `json:"variables,omitempty"`
 }
 
 func (status *PolicyStatus) SetReadyByCondition(c PolicyConditionType, s metav1.ConditionStatus, message string) {

api/policies.kyverno.io/v1alpha1/validating_policy.go

@@ -45,6 +45,10 @@ func (s *ValidatingPolicy) GetVariables() []admissionregistrationv1.Variable {
 	return s.Spec.Variables
 }
 
+func (s *ValidatingPolicy) GetSpec() *ValidatingPolicySpec {
+	return &s.Spec
+}
+
 func (s *ValidatingPolicy) GetStatus() *PolicyStatus {
 	return &s.Status
 }

api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go

@@ -22,21 +22,190 @@ limitations under the License.
 package v1alpha1
 
 import (
-	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	v1 "k8s.io/api/admissionregistration/v1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AutogenRule) DeepCopyInto(out *AutogenRule) {
+	*out = *in
+	if in.MatchConstraints != nil {
+		in, out := &in.MatchConstraints, &out.MatchConstraints
+		*out = new(v1.MatchResources)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.MatchConditions != nil {
+		in, out := &in.MatchConditions, &out.MatchConditions
+		*out = make([]v1.MatchCondition, len(*in))
+		copy(*out, *in)
+	}
+	if in.Validations != nil {
+		in, out := &in.Validations, &out.Validations
+		*out = make([]v1.Validation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AuditAnnotation != nil {
+		in, out := &in.AuditAnnotation, &out.AuditAnnotation
+		*out = make([]v1.AuditAnnotation, len(*in))
+		copy(*out, *in)
+	}
+	if in.Variables != nil {
+		in, out := &in.Variables, &out.Variables
+		*out = make([]v1.Variable, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutogenRule.
+func (in *AutogenRule) DeepCopy() *AutogenRule {
+	if in == nil {
+		return nil
+	}
+	out := new(AutogenRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AutogenStatus) DeepCopyInto(out *AutogenStatus) {
+	*out = *in
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]AutogenRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutogenStatus.
+func (in *AutogenStatus) DeepCopy() *AutogenStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(AutogenStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CELPolicyException) DeepCopyInto(out *CELPolicyException) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CELPolicyException.
+func (in *CELPolicyException) DeepCopy() *CELPolicyException {
+	if in == nil {
+		return nil
+	}
+	out := new(CELPolicyException)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CELPolicyException) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CELPolicyExceptionList) DeepCopyInto(out *CELPolicyExceptionList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CELPolicyException, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CELPolicyExceptionList.
+func (in *CELPolicyExceptionList) DeepCopy() *CELPolicyExceptionList {
+	if in == nil {
+		return nil
+	}
+	out := new(CELPolicyExceptionList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CELPolicyExceptionList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CELPolicyExceptionSpec) DeepCopyInto(out *CELPolicyExceptionSpec) {
+	*out = *in
+	if in.PolicyRefs != nil {
+		in, out := &in.PolicyRefs, &out.PolicyRefs
+		*out = make([]PolicyRef, len(*in))
+		copy(*out, *in)
+	}
+	if in.MatchConditions != nil {
+		in, out := &in.MatchConditions, &out.MatchConditions
+		*out = make([]v1.MatchCondition, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CELPolicyExceptionSpec.
+func (in *CELPolicyExceptionSpec) DeepCopy() *CELPolicyExceptionSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CELPolicyExceptionSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyRef) DeepCopyInto(out *PolicyRef) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyRef.
+func (in *PolicyRef) DeepCopy() *PolicyRef {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PolicyStatus) DeepCopyInto(out *PolicyStatus) {
 	*out = *in
 	if in.Conditions != nil {
 		in, out := &in.Conditions, &out.Conditions
-		*out = make([]v1.Condition, len(*in))
+		*out = make([]metav1.Condition, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	in.Autogen.DeepCopyInto(&out.Autogen)
 	return
 }
 
@@ -117,7 +286,7 @@ func (in *ValidatingPolicySpec) DeepCopyInto(out *ValidatingPolicySpec) {
 	in.ValidatingAdmissionPolicySpec.DeepCopyInto(&out.ValidatingAdmissionPolicySpec)
 	if in.ValidationAction != nil {
 		in, out := &in.ValidationAction, &out.ValidationAction
-		*out = make([]admissionregistrationv1.ValidationAction, len(*in))
+		*out = make([]v1.ValidationAction, len(*in))
 		copy(*out, *in)
 	}
 	if in.WebhookConfiguration != nil {

api/policies.kyverno.io/v1alpha1/zz_generated.register.go

@@ -58,6 +58,8 @@ func init() {
 // Adds the list of known types to Scheme.
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
+		&CELPolicyException{},
+		&CELPolicyExceptionList{},
 		&ValidatingPolicy{},
 		&ValidatingPolicyList{},
 	)

charts/kyverno/README.md

@@ -258,6 +258,8 @@ The chart values are organised per component.
 |-----|------|---------|-------------|
 | crds.install | bool | `true` | Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created |
 | crds.groups.kyverno | object | `{"celpolicyexceptions":true,"cleanuppolicies":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true,"validatingpolicies":true}` | Install CRDs in group `kyverno.io` |
+| crds.groups.policies.validatingpolicies | bool | `true` |  |
+| crds.groups.policies.celpolicyexceptions | bool | `true` |  |
 | crds.groups.reports | object | `{"clusterephemeralreports":true,"ephemeralreports":true}` | Install CRDs in group `reports.kyverno.io` |
 | crds.groups.wgpolicyk8s | object | `{"clusterpolicyreports":true,"policyreports":true}` | Install CRDs in group `wgpolicyk8s.io` |
 | crds.annotations | object | `{}` | Additional CRDs annotations |

charts/kyverno/charts/crds/README.md

@@ -7,6 +7,8 @@
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | groups.kyverno | object | `{"cleanuppolicies":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true,"validatingpolicies":true}` | This field can be overwritten by setting crds.labels in the parent chart |
+| groups.policies.validatingpolicies | bool | `true` |  |
+| groups.policies.celpolicyexceptions | bool | `true` |  |
 | groups.reports | object | `{"clusterephemeralreports":true,"ephemeralreports":true}` | This field can be overwritten by setting crds.labels in the parent chart |
 | groups.wgpolicyk8s | object | `{"clusterpolicyreports":true,"policyreports":true}` | This field can be overwritten by setting crds.labels in the parent chart |
 | annotations | object | `{}` | This field can be overwritten by setting crds.annotations in the parent chart |

charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_celpolicyexceptions.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.groups.kyverno.celpolicyexceptions }}
+{{- if .Values.groups.policies.celpolicyexceptions }}
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
@@ -10,9 +10,9 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
     controller-gen.kubebuilder.io/version: v0.16.1
-  name: celpolicyexceptions.kyverno.io
+  name: celpolicyexceptions.policies.kyverno.io
 spec:
-  group: kyverno.io
+  group: policies.kyverno.io
   names:
     kind: CELPolicyException
     listKind: CELPolicyExceptionList
@@ -20,7 +20,7 @@ spec:
     singular: celpolicyexception
   scope: Namespaced
   versions:
-  - name: v2alpha1
+  - name: v1alpha1
     schema:
       openAPIV3Schema:
         description: PolicyException declares resources to be excluded from specified

charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.groups.kyverno.validatingpolicies }}
+{{- if .Values.groups.policies.validatingpolicies }}
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
@@ -10,9 +10,9 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
     controller-gen.kubebuilder.io/version: v0.16.1
-  name: validatingpolicies.kyverno.io
+  name: validatingpolicies.policies.kyverno.io
 spec:
-  group: kyverno.io
+  group: policies.kyverno.io
   names:
     categories:
     - kyverno
@@ -28,7 +28,7 @@ spec:
     - jsonPath: .metadata.creationTimestamp
       name: AGE
       type: date
-    name: v2alpha1
+    name: v1alpha1
     schema:
       openAPIV3Schema:
         properties:

charts/kyverno/charts/crds/values.yaml

@@ -19,6 +19,10 @@ groups:
     updaterequests: true
     validatingpolicies: true
 
+  policies:
+    validatingpolicies: true
+    celpolicyexceptions: true
+
   # -- Install CRDs in group `reports.kyverno.io`
   # -- This field can be overwritten by setting crds.labels in the parent chart
   reports:

charts/kyverno/templates/admission-controller/clusterrole.yaml

@@ -73,6 +73,18 @@ rules:
       - globalcontextentries
       - globalcontextentries/status
       - policyexceptions
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+  - apiGroups:
+      - policies.kyverno.io
+    resources:
       - validatingpolicies
       - validatingpolicies/status
       - celpolicyexceptions

charts/kyverno/templates/reports-controller/clusterrole.yaml

@@ -43,6 +43,18 @@ rules:
       - policyexceptions
       - policies
       - clusterpolicies
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+  - apiGroups:
+      - policies.kyverno.io
+    resources:
       - validatingpolicies
       - validatingpolicies/status
     verbs:

charts/kyverno/values.yaml

@@ -85,6 +85,10 @@ crds:
       validatingpolicies: true
       celpolicyexceptions: true
 
+    policies:
+      validatingpolicies: true
+      celpolicyexceptions: true
+
     # -- Install CRDs in group `reports.kyverno.io`
     reports:
       clusterephemeralreports: true

cmd/cli/kubectl-kyverno/commands/apply/command.go

@@ -13,7 +13,7 @@ import (
 	"github.com/go-git/go-billy/v5/memfs"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
-	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+	policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/command"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/deprecations"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/exception"
@@ -314,7 +314,7 @@ func (c *ApplyCommandConfig) applyValidatingAdmissionPolicies(
 }
 
 func (c *ApplyCommandConfig) applyValidatingPolicies(
-	vps []kyvernov2alpha1.ValidatingPolicy,
+	vps []policiesv1alpha1.ValidatingPolicy,
 	resources []*unstructured.Unstructured,
 	namespaceProvider func(string) *corev1.Namespace,
 	_ *processor.ResultCounts,
@@ -464,14 +464,14 @@ func (c *ApplyCommandConfig) loadPolicies() (
 	[]kyvernov1.PolicyInterface,
 	[]admissionregistrationv1.ValidatingAdmissionPolicy,
 	[]admissionregistrationv1.ValidatingAdmissionPolicyBinding,
-	[]kyvernov2alpha1.ValidatingPolicy,
+	[]policiesv1alpha1.ValidatingPolicy,
 	error,
 ) {
 	// load policies
 	var policies []kyvernov1.PolicyInterface
 	var vaps []admissionregistrationv1.ValidatingAdmissionPolicy
 	var vapBindings []admissionregistrationv1.ValidatingAdmissionPolicyBinding
-	var vps []kyvernov2alpha1.ValidatingPolicy
+	var vps []policiesv1alpha1.ValidatingPolicy
 
 	for _, path := range c.PolicyPaths {
 		isGit := source.IsGit(path)

cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_celpolicyexceptions.yaml

@@ -4,9 +4,9 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: (devel)
-  name: celpolicyexceptions.kyverno.io
+  name: celpolicyexceptions.policies.kyverno.io
 spec:
-  group: kyverno.io
+  group: policies.kyverno.io
   names:
     kind: CELPolicyException
     listKind: CELPolicyExceptionList
@@ -14,7 +14,7 @@ spec:
     singular: celpolicyexception
   scope: Namespaced
   versions:
-  - name: v2alpha1
+  - name: v1alpha1
     schema:
       openAPIV3Schema:
         description: PolicyException declares resources to be excluded from specified

cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml

@@ -4,9 +4,9 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: (devel)
-  name: validatingpolicies.kyverno.io
+  name: validatingpolicies.policies.kyverno.io
 spec:
-  group: kyverno.io
+  group: policies.kyverno.io
   names:
     categories:
     - kyverno
@@ -22,7 +22,7 @@ spec:
     - jsonPath: .metadata.creationTimestamp
       name: AGE
       type: date
-    name: v2alpha1
+    name: v1alpha1
     schema:
       openAPIV3Schema:
         properties:

cmd/cli/kubectl-kyverno/policy/load.go

@@ -12,8 +12,8 @@ import (
 
 	"github.com/go-git/go-billy/v5"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
 	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/data"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/experimental"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/source"
@@ -33,7 +33,7 @@ var (
 	clusterPolicyV2       = kyvernov2beta1.SchemeGroupVersion.WithKind("ClusterPolicy")
 	vapV1                 = admissionregistrationv1.SchemeGroupVersion.WithKind("ValidatingAdmissionPolicy")
 	vapBindingV1          = admissionregistrationv1.SchemeGroupVersion.WithKind("ValidatingAdmissionPolicyBinding")
-	vpV2alpha1            = kyvernov2alpha1.SchemeGroupVersion.WithKind("ValidatingPolicy")
+	vpV2alpha1            = policiesv1alpha1.SchemeGroupVersion.WithKind("ValidatingPolicy")
 	LegacyLoader          = legacyLoader
 	KubectlValidateLoader = kubectlValidateLoader
 	defaultLoader         = func(path string, bytes []byte) (*LoaderResults, error) {
@@ -54,7 +54,7 @@ type LoaderResults struct {
 	Policies           []kyvernov1.PolicyInterface
 	VAPs               []admissionregistrationv1.ValidatingAdmissionPolicy
 	VAPBindings        []admissionregistrationv1.ValidatingAdmissionPolicyBinding
-	ValidatingPolicies []kyvernov2alpha1.ValidatingPolicy
+	ValidatingPolicies []policiesv1alpha1.ValidatingPolicy
 	NonFatalErrors     []LoaderError
 }
 
@@ -166,7 +166,7 @@ func kubectlValidateLoader(path string, content []byte) (*LoaderResults, error)
 			}
 			results.VAPBindings = append(results.VAPBindings, *typed)
 		case vpV2alpha1:
-			typed, err := convert.To[kyvernov2alpha1.ValidatingPolicy](untyped)
+			typed, err := convert.To[policiesv1alpha1.ValidatingPolicy](untyped)
 			if err != nil {
 				return nil, err
 			}

cmd/kyverno/main.go

@@ -10,7 +10,7 @@ import (
 	"time"
 
 	"github.com/go-logr/logr"
-	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+	policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
 	"github.com/kyverno/kyverno/cmd/internal"
 	"github.com/kyverno/kyverno/pkg/auth/checker"
 	"github.com/kyverno/kyverno/pkg/breaker"
@@ -154,7 +154,7 @@ func createrLeaderControllers(
 		kubeInformer.Admissionregistration().V1().ValidatingWebhookConfigurations(),
 		kyvernoInformer.Kyverno().V1().ClusterPolicies(),
 		kyvernoInformer.Kyverno().V1().Policies(),
-		kyvernoInformer.Kyverno().V2alpha1().ValidatingPolicies(),
+		kyvernoInformer.Policies().V1alpha1().ValidatingPolicies(),
 		deploymentInformer,
 		caInformer,
 		kubeKyvernoInformer.Coordination().V1().Leases(),
@@ -219,8 +219,8 @@ func createrLeaderControllers(
 		nil,
 		[]admissionregistrationv1.RuleWithOperations{{
 			Rule: admissionregistrationv1.Rule{
-				APIGroups:   []string{"kyverno.io"},
+				APIGroups:   []string{"policies.kyverno.io"},
-				APIVersions: []string{"v2alpha1"},
+				APIVersions: []string{"v1alpha1"},
 				Resources:   []string{"celpolicyexceptions"},
 			},
 			Operations: []admissionregistrationv1.OperationType{
@@ -594,7 +594,7 @@ func main() {
 		{
 			// create a controller manager
 			scheme := kruntime.NewScheme()
-			if err := kyvernov2alpha1.Install(scheme); err != nil {
+			if err := policiesv1alpha1.Install(scheme); err != nil {
 				setup.Logger.Error(err, "failed to initialize scheme")
 				os.Exit(1)
 			}
@@ -608,7 +608,7 @@ func main() {
 			// create compiler
 			compiler := celpolicy.NewCompiler()
 			// create provider
-			provider, err := celengine.NewKubeProvider(compiler, mgr, kyvernoInformer.Kyverno().V2alpha1().CELPolicyExceptions().Lister())
+			provider, err := celengine.NewKubeProvider(compiler, mgr, kyvernoInformer.Policies().V1alpha1().CELPolicyExceptions().Lister())
 			if err != nil {
 				setup.Logger.Error(err, "failed to create policy provider")
 				os.Exit(1)

cmd/reports-controller/main.go

@@ -76,13 +76,13 @@ func createReportControllers(
 	}
 	kyvernoV1 := kyvernoInformer.Kyverno().V1()
 	kyvernoV2 := kyvernoInformer.Kyverno().V2()
-	kyvernoV2alpha1 := kyvernoInformer.Kyverno().V2alpha1()
+	policiesV1alpha1 := kyvernoInformer.Policies().V1alpha1()
 	if backgroundScan || admissionReports {
 		resourceReportController := resourcereportcontroller.NewController(
 			client,
 			kyvernoV1.Policies(),
 			kyvernoV1.ClusterPolicies(),
-			kyvernoV2alpha1.ValidatingPolicies(),
+			policiesV1alpha1.ValidatingPolicies(),
 			vapInformer,
 		)
 		warmups = append(warmups, func(ctx context.Context) error {
@@ -102,7 +102,7 @@ func createReportControllers(
 					metadataFactory,
 					kyvernoV1.Policies(),
 					kyvernoV1.ClusterPolicies(),
-					kyvernoV2alpha1.ValidatingPolicies(),
+					policiesV1alpha1.ValidatingPolicies(),
 					vapInformer,
 				),
 				aggregationWorkers,
@@ -116,7 +116,7 @@ func createReportControllers(
 				metadataFactory,
 				kyvernoV1.Policies(),
 				kyvernoV1.ClusterPolicies(),
-				kyvernoV2alpha1.ValidatingPolicies(),
+				policiesV1alpha1.ValidatingPolicies(),
 				kyvernoV2.PolicyExceptions(),
 				vapInformer,
 				vapBindingInformer,

config/crds/policies.kyverno.io/policies.kyverno.io_celpolicyexceptions.yaml

@@ -0,0 +1,106 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  name: celpolicyexceptions.policies.kyverno.io
+spec:
+  group: policies.kyverno.io
+  names:
+    kind: CELPolicyException
+    listKind: CELPolicyExceptionList
+    plural: celpolicyexceptions
+    singular: celpolicyexception
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: PolicyException declares resources to be excluded from specified
+          policies.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec declares policy exception behaviors.
+            properties:
+              matchConditions:
+                description: MatchConditions is a list of CEL expressions that must
+                  be met for a resource to be excluded.
+                items:
+                  description: MatchCondition represents a condition which must by
+                    fulfilled for a request to be sent to a webhook.
+                  properties:
+                    expression:
+                      description: |-
+                        Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+                        CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+                        'object' - The object from the incoming request. The value is null for DELETE requests.
+                        'oldObject' - The existing object. The value is null for CREATE requests.
+                        'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+                        'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+                          See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+                        'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+                          request resource.
+                        Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+                        Required.
+                      type: string
+                    name:
+                      description: |-
+                        Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+                        as well as providing an identifier for logging purposes. A good name should be descriptive of
+                        the associated expression.
+                        Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+                        must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+                        '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+                        optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+                        Required.
+                      type: string
+                  required:
+                  - expression
+                  - name
+                  type: object
+                type: array
+              policyRefs:
+                description: PolicyRefs identifies the policies to which the exception
+                  is applied.
+                items:
+                  properties:
+                    kind:
+                      description: Kind is the kind of the policy
+                      type: string
+                    name:
+                      description: Name is the name of the policy
+                      type: string
+                  required:
+                  - kind
+                  - name
+                  type: object
+                type: array
+            required:
+            - policyRefs
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true

config/install-latest-testing.yaml

@@ -195,119 +195,6 @@ data:
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
-metadata:
-  labels:
-    app.kubernetes.io/component: crds
-    app.kubernetes.io/instance: kyverno
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/part-of: kyverno-crds
-    app.kubernetes.io/version: v0.0.0
-    helm.sh/chart: crds-v0.0.0
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
-  name: celpolicyexceptions.kyverno.io
-spec:
-  group: kyverno.io
-  names:
-    kind: CELPolicyException
-    listKind: CELPolicyExceptionList
-    plural: celpolicyexceptions
-    singular: celpolicyexception
-  scope: Namespaced
-  versions:
-  - name: v2alpha1
-    schema:
-      openAPIV3Schema:
-        description: PolicyException declares resources to be excluded from specified
-          policies.
-        properties:
-          apiVersion:
-            description: |-
-              APIVersion defines the versioned schema of this representation of an object.
-              Servers should convert recognized schemas to the latest internal value, and
-              may reject unrecognized values.
-              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-            type: string
-          kind:
-            description: |-
-              Kind is a string value representing the REST resource this object represents.
-              Servers may infer this from the endpoint the client submits requests to.
-              Cannot be updated.
-              In CamelCase.
-              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: Spec declares policy exception behaviors.
-            properties:
-              matchConditions:
-                description: MatchConditions is a list of CEL expressions that must
-                  be met for a resource to be excluded.
-                items:
-                  description: MatchCondition represents a condition which must by
-                    fulfilled for a request to be sent to a webhook.
-                  properties:
-                    expression:
-                      description: |-
-                        Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
-                        CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
-                        'object' - The object from the incoming request. The value is null for DELETE requests.
-                        'oldObject' - The existing object. The value is null for CREATE requests.
-                        'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
-                        'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
-                          See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
-                        'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
-                          request resource.
-                        Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
-                        Required.
-                      type: string
-                    name:
-                      description: |-
-                        Name is an identifier for this match condition, used for strategic merging of MatchConditions,
-                        as well as providing an identifier for logging purposes. A good name should be descriptive of
-                        the associated expression.
-                        Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
-                        must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
-                        '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
-                        optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
-                        Required.
-                      type: string
-                  required:
-                  - expression
-                  - name
-                  type: object
-                type: array
-              policyRefs:
-                description: PolicyRefs identifies the policies to which the exception
-                  is applied.
-                items:
-                  properties:
-                    kind:
-                      description: Kind is the kind of the policy
-                      type: string
-                    name:
-                      description: Name is the name of the policy
-                      type: string
-                  required:
-                  - kind
-                  - name
-                  type: object
-                type: array
-            required:
-            - policyRefs
-            type: object
-        required:
-        - spec
-        type: object
-    served: true
-    storage: true
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
 metadata:
   labels:
     app.kubernetes.io/component: crds
@@ -48537,9 +48424,122 @@ metadata:
     helm.sh/chart: crds-v0.0.0
   annotations:
     controller-gen.kubebuilder.io/version: v0.16.1
-  name: validatingpolicies.kyverno.io
+  name: celpolicyexceptions.policies.kyverno.io
 spec:
-  group: kyverno.io
+  group: policies.kyverno.io
+  names:
+    kind: CELPolicyException
+    listKind: CELPolicyExceptionList
+    plural: celpolicyexceptions
+    singular: celpolicyexception
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: PolicyException declares resources to be excluded from specified
+          policies.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec declares policy exception behaviors.
+            properties:
+              matchConditions:
+                description: MatchConditions is a list of CEL expressions that must
+                  be met for a resource to be excluded.
+                items:
+                  description: MatchCondition represents a condition which must by
+                    fulfilled for a request to be sent to a webhook.
+                  properties:
+                    expression:
+                      description: |-
+                        Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+                        CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+                        'object' - The object from the incoming request. The value is null for DELETE requests.
+                        'oldObject' - The existing object. The value is null for CREATE requests.
+                        'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+                        'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+                          See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+                        'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+                          request resource.
+                        Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+                        Required.
+                      type: string
+                    name:
+                      description: |-
+                        Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+                        as well as providing an identifier for logging purposes. A good name should be descriptive of
+                        the associated expression.
+                        Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+                        must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+                        '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+                        optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+                        Required.
+                      type: string
+                  required:
+                  - expression
+                  - name
+                  type: object
+                type: array
+              policyRefs:
+                description: PolicyRefs identifies the policies to which the exception
+                  is applied.
+                items:
+                  properties:
+                    kind:
+                      description: Kind is the kind of the policy
+                      type: string
+                    name:
+                      description: Name is the name of the policy
+                      type: string
+                  required:
+                  - kind
+                  - name
+                  type: object
+                type: array
+            required:
+            - policyRefs
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    app.kubernetes.io/component: crds
+    app.kubernetes.io/instance: kyverno
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: kyverno-crds
+    app.kubernetes.io/version: v0.0.0
+    helm.sh/chart: crds-v0.0.0
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: validatingpolicies.policies.kyverno.io
+spec:
+  group: policies.kyverno.io
   names:
     categories:
     - kyverno
@@ -48555,7 +48555,7 @@ spec:
     - jsonPath: .metadata.creationTimestamp
       name: AGE
       type: date
-    name: v2alpha1
+    name: v1alpha1
     schema:
       openAPIV3Schema:
         properties:
@@ -51328,6 +51328,18 @@ rules:
       - globalcontextentries
       - globalcontextentries/status
       - policyexceptions
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+  - apiGroups:
+      - policies.kyverno.io
+    resources:
       - validatingpolicies
       - validatingpolicies/status
       - celpolicyexceptions
@@ -51872,6 +51884,18 @@ rules:
       - policyexceptions
       - policies
       - clusterpolicies
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+  - apiGroups:
+      - policies.kyverno.io
+    resources:
       - validatingpolicies
       - validatingpolicies/status
     verbs:

docs/user/crd/index.html

@@ -10656,9 +10656,102 @@ github.com/kyverno/kyverno-json/pkg/apis/policy/v1alpha1.Any
 </p>
 Resource Types:
 <ul><li>
+<a href="#policies.kyverno.io/v1alpha1.CELPolicyException">CELPolicyException</a>
+</li><li>
 <a href="#policies.kyverno.io/v1alpha1.ValidatingPolicy">ValidatingPolicy</a>
 </li></ul>
 <hr />
+<h3 id="policies.kyverno.io/v1alpha1.CELPolicyException">CELPolicyException
+</h3>
+<p>
+<p>PolicyException declares resources to be excluded from specified policies.</p>
+</p>
+<table class="table table-striped">
+<thead class="thead-dark">
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>apiVersion</code><br/>
+string</td>
+<td>
+<code>
+policies.kyverno.io/v1alpha1
+</code>
+</td>
+</tr>
+<tr>
+<td>
+<code>kind</code><br/>
+string
+</td>
+<td><code>CELPolicyException</code></td>
+</tr>
+<tr>
+<td>
+<code>metadata</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta">
+Kubernetes meta/v1.ObjectMeta
+</a>
+</em>
+</td>
+<td>
+Refer to the Kubernetes API documentation for the fields of the
+<code>metadata</code> field.
+</td>
+</tr>
+<tr>
+<td>
+<code>spec</code><br/>
+<em>
+<a href="#policies.kyverno.io/v1alpha1.CELPolicyExceptionSpec">
+CELPolicyExceptionSpec
+</a>
+</em>
+</td>
+<td>
+<p>Spec declares policy exception behaviors.</p>
+<br/>
+<br/>
+<table class="table table-striped">
+<tr>
+<td>
+<code>policyRefs</code><br/>
+<em>
+<a href="#policies.kyverno.io/v1alpha1.PolicyRef">
+[]PolicyRef
+</a>
+</em>
+</td>
+<td>
+<p>PolicyRefs identifies the policies to which the exception is applied.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>matchConditions</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchcondition-v1-admissionregistration">
+[]Kubernetes admissionregistration/v1.MatchCondition
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>MatchConditions is a list of CEL expressions that must be met for a resource to be excluded.</p>
+</td>
+</tr>
+</table>
+</td>
+</tr>
+</tbody>
+</table>
+<hr />
 <h3 id="policies.kyverno.io/v1alpha1.ValidatingPolicy">ValidatingPolicy
 </h3>
 <p>
@@ -10778,10 +10871,214 @@ PolicyStatus
 </tbody>
 </table>
 <hr />
+<h3 id="policies.kyverno.io/v1alpha1.AutogenRule">AutogenRule
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#policies.kyverno.io/v1alpha1.AutogenStatus">AutogenStatus</a>)
+</p>
+<p>
+</p>
+<table class="table table-striped">
+<thead class="thead-dark">
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>matchConstraints</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchresources-v1-admissionregistration">
+Kubernetes admissionregistration/v1.MatchResources
+</a>
+</em>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
+<code>matchConditions</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchcondition-v1-admissionregistration">
+[]Kubernetes admissionregistration/v1.MatchCondition
+</a>
+</em>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
+<code>validations</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#validation-v1-admissionregistration">
+[]Kubernetes admissionregistration/v1.Validation
+</a>
+</em>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
+<code>auditAnnotations</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#auditannotation-v1-admissionregistration">
+[]Kubernetes admissionregistration/v1.AuditAnnotation
+</a>
+</em>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
+<code>variables</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#variable-v1-admissionregistration">
+[]Kubernetes admissionregistration/v1.Variable
+</a>
+</em>
+</td>
+<td>
+</td>
+</tr>
+</tbody>
+</table>
+<hr />
+<h3 id="policies.kyverno.io/v1alpha1.AutogenStatus">AutogenStatus
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#policies.kyverno.io/v1alpha1.PolicyStatus">PolicyStatus</a>)
+</p>
+<p>
+<p>AutogenStatus contains autogen status information.</p>
+</p>
+<table class="table table-striped">
+<thead class="thead-dark">
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>rules</code><br/>
+<em>
+<a href="#policies.kyverno.io/v1alpha1.AutogenRule">
+[]AutogenRule
+</a>
+</em>
+</td>
+<td>
+<p>Rules is a list of Rule instances. It contains auto generated rules added for pod controllers</p>
+</td>
+</tr>
+</tbody>
+</table>
+<hr />
+<h3 id="policies.kyverno.io/v1alpha1.CELPolicyExceptionSpec">CELPolicyExceptionSpec
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#policies.kyverno.io/v1alpha1.CELPolicyException">CELPolicyException</a>)
+</p>
+<p>
+<p>PolicyExceptionSpec stores policy exception spec</p>
+</p>
+<table class="table table-striped">
+<thead class="thead-dark">
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>policyRefs</code><br/>
+<em>
+<a href="#policies.kyverno.io/v1alpha1.PolicyRef">
+[]PolicyRef
+</a>
+</em>
+</td>
+<td>
+<p>PolicyRefs identifies the policies to which the exception is applied.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>matchConditions</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchcondition-v1-admissionregistration">
+[]Kubernetes admissionregistration/v1.MatchCondition
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>MatchConditions is a list of CEL expressions that must be met for a resource to be excluded.</p>
+</td>
+</tr>
+</tbody>
+</table>
+<hr />
+<h3 id="policies.kyverno.io/v1alpha1.GenericPolicy">GenericPolicy
+</h3>
+<p>
+</p>
 <h3 id="policies.kyverno.io/v1alpha1.PolicyConditionType">PolicyConditionType
 (<code>string</code> alias)</p></h3>
 <p>
 </p>
+<h3 id="policies.kyverno.io/v1alpha1.PolicyRef">PolicyRef
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#policies.kyverno.io/v1alpha1.CELPolicyExceptionSpec">CELPolicyExceptionSpec</a>)
+</p>
+<p>
+</p>
+<table class="table table-striped">
+<thead class="thead-dark">
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>name</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Name is the name of the policy</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>kind</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Kind is the kind of the policy</p>
+</td>
+</tr>
+</tbody>
+</table>
+<hr />
 <h3 id="policies.kyverno.io/v1alpha1.PolicyStatus">PolicyStatus
 </h3>
 <p>
@@ -10824,6 +11121,19 @@ The conditions array, the reason and message fields contain more detail about th
 <em>(Optional)</em>
 </td>
 </tr>
+<tr>
+<td>
+<code>autogen</code><br/>
+<em>
+<a href="#policies.kyverno.io/v1alpha1.AutogenStatus">
+AutogenStatus
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+</td>
+</tr>
 </tbody>
 </table>
 <hr />

pkg/cel/autogen/autogen.go

@@ -4,7 +4,7 @@ import (
 	"strings"
 
 	"github.com/kyverno/kyverno/api/kyverno"
-	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+	policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
 	"k8s.io/apimachinery/pkg/util/sets"
 )
 
@@ -17,7 +17,7 @@ var podControllers = sets.New("daemonsets", "deployments", "jobs", "statefulsets
 //   - Pod is not defined
 //
 // Otherwise it returns all pod controllers
-func canAutoGen(spec *kyvernov2alpha1.ValidatingPolicySpec) (bool, sets.Set[string]) {
+func canAutoGen(spec *policiesv1alpha1.ValidatingPolicySpec) (bool, sets.Set[string]) {
 	match := spec.MatchConstraints
 	if match.NamespaceSelector != nil {
 		if len(match.NamespaceSelector.MatchLabels) > 0 || len(match.NamespaceSelector.MatchExpressions) > 0 {
@@ -45,8 +45,8 @@ func canAutoGen(spec *kyvernov2alpha1.ValidatingPolicySpec) (bool, sets.Set[stri
 	return true, podControllers
 }
 
-func generateRules(spec *kyvernov2alpha1.ValidatingPolicySpec, controllers string) []kyvernov2alpha1.AutogenRule {
+func generateRules(spec *policiesv1alpha1.ValidatingPolicySpec, controllers string) []policiesv1alpha1.AutogenRule {
-	var genRules []kyvernov2alpha1.AutogenRule
+	var genRules []policiesv1alpha1.AutogenRule
 	// strip cronjobs from controllers if exist
 	isRemoved, controllers := stripCronJob(controllers)
 	// generate rule for pod controllers
@@ -82,10 +82,10 @@ func stripCronJob(controllers string) (bool, string) {
 	return isRemoved, strings.Join(newControllers, ",")
 }
 
-func ComputeRules(policy kyvernov2alpha1.GenericPolicy) []kyvernov2alpha1.AutogenRule {
+func ComputeRules(policy policiesv1alpha1.GenericPolicy) []policiesv1alpha1.AutogenRule {
 	applyAutoGen, desiredControllers := canAutoGen(policy.GetSpec())
 	if !applyAutoGen {
-		return []kyvernov2alpha1.AutogenRule{}
+		return []policiesv1alpha1.AutogenRule{}
 	}
 
 	var actualControllers sets.Set[string]

pkg/cel/autogen/autogen_test.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"testing"
 
-	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+	policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
 	"gotest.tools/assert"
 	"k8s.io/apimachinery/pkg/util/sets"
 )
@@ -19,7 +19,7 @@ func Test_CanAutoGen(t *testing.T) {
 		{
 			name: "policy-with-match-name",
 			policy: []byte(`{
-    "apiVersion": "kyverno.io/v2alpha1",
+    "apiVersion": "policies.kyverno.io/v1alpha1",
     "kind": "ValidatingPolicy",
     "metadata": {
         "name": "chech-labels"
@@ -66,7 +66,7 @@ func Test_CanAutoGen(t *testing.T) {
 		{
 			name: "policy-with-match-object-selector",
 			policy: []byte(`{
-    "apiVersion": "kyverno.io/v2alpha1",
+    "apiVersion": "policies.kyverno.io/v1alpha1",
     "kind": "ValidatingPolicy",
     "metadata": {
         "name": "chech-labels"
@@ -115,7 +115,7 @@ func Test_CanAutoGen(t *testing.T) {
 		{
 			name: "policy-with-match-namespace-selector",
 			policy: []byte(`{
-    "apiVersion": "kyverno.io/v2alpha1",
+    "apiVersion": "policies.kyverno.io/v1alpha1",
     "kind": "ValidatingPolicy",
     "metadata": {
         "name": "chech-labels"
@@ -164,7 +164,7 @@ func Test_CanAutoGen(t *testing.T) {
 		{
 			name: "policy-with-match-mixed-kinds-pod-podcontrollers",
 			policy: []byte(`{
-    "apiVersion": "kyverno.io/v2alpha1",
+    "apiVersion": "policies.kyverno.io/v1alpha1",
     "kind": "ValidatingPolicy",
     "metadata": {
         "name": "chech-labels"
@@ -223,7 +223,7 @@ func Test_CanAutoGen(t *testing.T) {
 		{
 			name: "policy-with-match-kinds-pod-only",
 			policy: []byte(`{
-    "apiVersion": "kyverno.io/v2alpha1",
+    "apiVersion": "policies.kyverno.io/v1alpha1",
     "kind": "ValidatingPolicy",
     "metadata": {
         "name": "chech-labels"
@@ -268,7 +268,7 @@ func Test_CanAutoGen(t *testing.T) {
 
 	for _, test := range testCases {
 		t.Run(test.name, func(t *testing.T) {
-			var policy *kyvernov2alpha1.ValidatingPolicy
+			var policy *policiesv1alpha1.ValidatingPolicy
 			err := json.Unmarshal(test.policy, &policy)
 			assert.NilError(t, err)
 

pkg/cel/autogen/rule.go

@@ -6,11 +6,11 @@ import (
 	"slices"
 	"strings"
 
-	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+	policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 )
 
-func generateCronJobRule(spec *kyvernov2alpha1.ValidatingPolicySpec, controllers string) (*kyvernov2alpha1.AutogenRule, error) {
+func generateCronJobRule(spec *policiesv1alpha1.ValidatingPolicySpec, controllers string) (*policiesv1alpha1.AutogenRule, error) {
 	operations := spec.MatchConstraints.ResourceRules[0].Operations
 	// create a resource rule for the cronjob resource
 	matchConstraints := createMatchConstraints(controllers, operations)
@@ -61,7 +61,7 @@ func generateCronJobRule(spec *kyvernov2alpha1.ValidatingPolicySpec, controllers
 		}
 	}
 
-	return &kyvernov2alpha1.AutogenRule{
+	return &policiesv1alpha1.AutogenRule{
 		MatchConstraints: matchConstraints,
 		MatchConditions:  matchConditions,
 		Validations:      validations,
@@ -70,7 +70,7 @@ func generateCronJobRule(spec *kyvernov2alpha1.ValidatingPolicySpec, controllers
 	}, nil
 }
 
-func generateRuleForControllers(spec *kyvernov2alpha1.ValidatingPolicySpec, controllers string) (*kyvernov2alpha1.AutogenRule, error) {
+func generateRuleForControllers(spec *policiesv1alpha1.ValidatingPolicySpec, controllers string) (*policiesv1alpha1.AutogenRule, error) {
 	operations := spec.MatchConstraints.ResourceRules[0].Operations
 	// create a resource rule for pod controllers
 	matchConstraints := createMatchConstraints(controllers, operations)
@@ -119,7 +119,7 @@ func generateRuleForControllers(spec *kyvernov2alpha1.ValidatingPolicySpec, cont
 		}
 	}
 
-	return &kyvernov2alpha1.AutogenRule{
+	return &policiesv1alpha1.AutogenRule{
 		MatchConstraints: matchConstraints,
 		MatchConditions:  matchConditions,
 		Validations:      validations,

pkg/cel/autogen/rule_test.go

@@ -5,7 +5,7 @@ import (
 	"reflect"
 	"testing"
 
-	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+	policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
 	"gotest.tools/assert"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 )
@@ -15,7 +15,7 @@ func TestGenerateRuleForControllers(t *testing.T) {
 		name          string
 		controllers   string
 		policySpec    []byte
-		generatedRule kyvernov2alpha1.AutogenRule
+		generatedRule policiesv1alpha1.AutogenRule
 	}{
 		{
 			name:        "autogen rule for deployments",
@@ -46,7 +46,7 @@ func TestGenerateRuleForControllers(t *testing.T) {
 					}
 				]
 			}`),
-			generatedRule: kyvernov2alpha1.AutogenRule{
+			generatedRule: policiesv1alpha1.AutogenRule{
 				MatchConstraints: &admissionregistrationv1.MatchResources{
 					ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
 						{
@@ -100,7 +100,7 @@ func TestGenerateRuleForControllers(t *testing.T) {
 					}
 				]
 			}`),
-			generatedRule: kyvernov2alpha1.AutogenRule{
+			generatedRule: policiesv1alpha1.AutogenRule{
 				MatchConstraints: &admissionregistrationv1.MatchResources{
 					ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
 						{
@@ -160,7 +160,7 @@ func TestGenerateRuleForControllers(t *testing.T) {
 					}
 				]
 			}`),
-			generatedRule: kyvernov2alpha1.AutogenRule{
+			generatedRule: policiesv1alpha1.AutogenRule{
 				MatchConstraints: &admissionregistrationv1.MatchResources{
 					ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
 						{
@@ -195,7 +195,7 @@ func TestGenerateRuleForControllers(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			var spec *kyvernov2alpha1.ValidatingPolicySpec
+			var spec *policiesv1alpha1.ValidatingPolicySpec
 			err := json.Unmarshal(test.policySpec, &spec)
 			assert.NilError(t, err)
 
@@ -212,7 +212,7 @@ func TestGenerateRuleForControllers(t *testing.T) {
 func TestGenerateCronJobRule(t *testing.T) {
 	tests := []struct {
 		policySpec    []byte
-		generatedRule kyvernov2alpha1.AutogenRule
+		generatedRule policiesv1alpha1.AutogenRule
 	}{
 		{
 			policySpec: []byte(`{
@@ -241,7 +241,7 @@ func TestGenerateCronJobRule(t *testing.T) {
         }
     ]
 }`),
-			generatedRule: kyvernov2alpha1.AutogenRule{
+			generatedRule: policiesv1alpha1.AutogenRule{
 				MatchConstraints: &admissionregistrationv1.MatchResources{
 					ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
 						{
@@ -299,7 +299,7 @@ func TestGenerateCronJobRule(t *testing.T) {
         }
     ]
 }`),
-			generatedRule: kyvernov2alpha1.AutogenRule{
+			generatedRule: policiesv1alpha1.AutogenRule{
 				MatchConstraints: &admissionregistrationv1.MatchResources{
 					ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
 						{
@@ -364,7 +364,7 @@ func TestGenerateCronJobRule(t *testing.T) {
         }
     ]
 }`),
-			generatedRule: kyvernov2alpha1.AutogenRule{
+			generatedRule: policiesv1alpha1.AutogenRule{
 				MatchConstraints: &admissionregistrationv1.MatchResources{
 					ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
 						{
@@ -398,7 +398,7 @@ func TestGenerateCronJobRule(t *testing.T) {
 		},
 	}
 	for _, tt := range tests {
-		var spec *kyvernov2alpha1.ValidatingPolicySpec
+		var spec *policiesv1alpha1.ValidatingPolicySpec
 		err := json.Unmarshal(tt.policySpec, &spec)
 		assert.NilError(t, err)
 

pkg/cel/engine/engine.go

@@ -4,7 +4,7 @@ import (
 	"context"
 	"fmt"
 
-	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+	policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
 	contextlib "github.com/kyverno/kyverno/pkg/cel/libs/context"
 	"github.com/kyverno/kyverno/pkg/cel/matching"
 	"github.com/kyverno/kyverno/pkg/cel/utils"
@@ -79,7 +79,7 @@ type EngineResponse struct {
 
 type PolicyResponse struct {
 	Actions sets.Set[admissionregistrationv1.ValidationAction]
-	Policy  kyvernov2alpha1.ValidatingPolicy
+	Policy  policiesv1alpha1.ValidatingPolicy
 	Rules   []engineapi.RuleResponse
 }
 

pkg/cel/engine/provider.go

@@ -5,9 +5,9 @@ import (
 	"fmt"
 	"sync"
 
-	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+	policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
 	"github.com/kyverno/kyverno/pkg/cel/policy"
-	kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
+	policiesv1alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/policies.kyverno.io/v1alpha1"
 	"golang.org/x/exp/maps"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -23,7 +23,7 @@ import (
 
 type CompiledPolicy struct {
 	Actions        sets.Set[admissionregistrationv1.ValidationAction]
-	Policy         kyvernov2alpha1.ValidatingPolicy
+	Policy         policiesv1alpha1.ValidatingPolicy
 	CompiledPolicy policy.CompiledPolicy
 }
 
@@ -37,7 +37,7 @@ func (f ProviderFunc) CompiledPolicies(ctx context.Context) ([]CompiledPolicy, e
 	return f(ctx)
 }
 
-func NewProvider(compiler policy.Compiler, policies ...kyvernov2alpha1.ValidatingPolicy) (ProviderFunc, error) {
+func NewProvider(compiler policy.Compiler, policies ...policiesv1alpha1.ValidatingPolicy) (ProviderFunc, error) {
 	compiled := make([]CompiledPolicy, 0, len(policies))
 	for _, vp := range policies {
 		policy, err := compiler.Compile(&vp, nil)
@@ -63,18 +63,18 @@ func NewProvider(compiler policy.Compiler, policies ...kyvernov2alpha1.Validatin
 func NewKubeProvider(
 	compiler policy.Compiler,
 	mgr ctrl.Manager,
-	polexLister kyvernov2alpha1listers.CELPolicyExceptionLister,
+	polexLister policiesv1alpha1listers.CELPolicyExceptionLister,
 ) (Provider, error) {
 	r := newPolicyReconciler(compiler, mgr.GetClient(), polexLister)
 	err := ctrl.NewControllerManagedBy(mgr).
-		For(&kyvernov2alpha1.ValidatingPolicy{}).
+		For(&policiesv1alpha1.ValidatingPolicy{}).
-		Watches(&kyvernov2alpha1.CELPolicyException{}, &handler.Funcs{
+		Watches(&policiesv1alpha1.CELPolicyException{}, &handler.Funcs{
 			CreateFunc: func(
 				ctx context.Context,
 				tce event.TypedCreateEvent[client.Object],
 				trli workqueue.TypedRateLimitingInterface[reconcile.Request],
 			) {
-				polex := tce.Object.(*kyvernov2alpha1.CELPolicyException)
+				polex := tce.Object.(*policiesv1alpha1.CELPolicyException)
 				for _, ref := range polex.Spec.PolicyRefs {
 					trli.Add(reconcile.Request{
 						NamespacedName: client.ObjectKey{
@@ -88,7 +88,7 @@ func NewKubeProvider(
 				tue event.TypedUpdateEvent[client.Object],
 				trli workqueue.TypedRateLimitingInterface[reconcile.Request],
 			) {
-				polex := tue.ObjectNew.(*kyvernov2alpha1.CELPolicyException)
+				polex := tue.ObjectNew.(*policiesv1alpha1.CELPolicyException)
 				for _, ref := range polex.Spec.PolicyRefs {
 					trli.Add(reconcile.Request{
 						NamespacedName: client.ObjectKey{
@@ -102,7 +102,7 @@ func NewKubeProvider(
 				tde event.TypedDeleteEvent[client.Object],
 				trli workqueue.TypedRateLimitingInterface[reconcile.Request],
 			) {
-				polex := tde.Object.(*kyvernov2alpha1.CELPolicyException)
+				polex := tde.Object.(*policiesv1alpha1.CELPolicyException)
 				for _, ref := range polex.Spec.PolicyRefs {
 					trli.Add(reconcile.Request{
 						NamespacedName: client.ObjectKey{
@@ -124,13 +124,13 @@ type policyReconciler struct {
 	compiler    policy.Compiler
 	lock        *sync.RWMutex
 	policies    map[string]CompiledPolicy
-	polexLister kyvernov2alpha1listers.CELPolicyExceptionLister
+	polexLister policiesv1alpha1listers.CELPolicyExceptionLister
 }
 
 func newPolicyReconciler(
 	compiler policy.Compiler,
 	client client.Client,
-	polexLister kyvernov2alpha1listers.CELPolicyExceptionLister,
+	polexLister policiesv1alpha1listers.CELPolicyExceptionLister,
 ) *policyReconciler {
 	return &policyReconciler{
 		client:      client,
@@ -142,7 +142,7 @@ func newPolicyReconciler(
 }
 
 func (r *policyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
-	var policy kyvernov2alpha1.ValidatingPolicy
+	var policy policiesv1alpha1.ValidatingPolicy
 	err := r.client.Get(ctx, req.NamespacedName, &policy)
 	if errors.IsNotFound(err) {
 		r.lock.Lock()
@@ -184,12 +184,12 @@ func (r *policyReconciler) CompiledPolicies(ctx context.Context) ([]CompiledPoli
 	return maps.Values(r.policies), nil
 }
 
-func (r *policyReconciler) ListExceptions(policyName string) ([]kyvernov2alpha1.CELPolicyException, error) {
+func (r *policyReconciler) ListExceptions(policyName string) ([]policiesv1alpha1.CELPolicyException, error) {
 	polexList, err := r.polexLister.List(labels.Everything())
 	if err != nil {
 		return nil, err
 	}
-	var exceptions []kyvernov2alpha1.CELPolicyException
+	var exceptions []policiesv1alpha1.CELPolicyException
 	for _, polex := range polexList {
 		for _, ref := range polex.Spec.PolicyRefs {
 			if ref.Name == policyName {

pkg/cel/policy/compiler.go

@@ -5,7 +5,7 @@ import (
 
 	"github.com/google/cel-go/cel"
 	"github.com/google/cel-go/common/types"
-	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+	policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
 	engine "github.com/kyverno/kyverno/pkg/cel"
 	"github.com/kyverno/kyverno/pkg/cel/libs/context"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
@@ -23,7 +23,7 @@ const (
 )
 
 type Compiler interface {
-	Compile(*kyvernov2alpha1.ValidatingPolicy, []kyvernov2alpha1.CELPolicyException) (CompiledPolicy, field.ErrorList)
+	Compile(*policiesv1alpha1.ValidatingPolicy, []policiesv1alpha1.CELPolicyException) (CompiledPolicy, field.ErrorList)
 }
 
 func NewCompiler() Compiler {
@@ -32,7 +32,7 @@ func NewCompiler() Compiler {
 
 type compiler struct{}
 
-func (c *compiler) Compile(policy *kyvernov2alpha1.ValidatingPolicy, exceptions []kyvernov2alpha1.CELPolicyException) (CompiledPolicy, field.ErrorList) {
+func (c *compiler) Compile(policy *policiesv1alpha1.ValidatingPolicy, exceptions []policiesv1alpha1.CELPolicyException) (CompiledPolicy, field.ErrorList) {
 	var allErrs field.ErrorList
 	base, err := engine.NewEnv()
 	if err != nil {

pkg/cel/policy/compiler_test.go

@@ -3,7 +3,7 @@ package policy
 import (
 	"testing"
 
-	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+	policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
 	"github.com/stretchr/testify/assert"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -12,19 +12,19 @@ import (
 func Test_compiler_Compile(t *testing.T) {
 	tests := []struct {
 		name    string
-		policy  *kyvernov2alpha1.ValidatingPolicy
+		policy  *policiesv1alpha1.ValidatingPolicy
 		wantErr bool
 	}{{
 		name: "simple",
-		policy: &kyvernov2alpha1.ValidatingPolicy{
+		policy: &policiesv1alpha1.ValidatingPolicy{
 			TypeMeta: metav1.TypeMeta{
-				APIVersion: kyvernov2alpha1.GroupVersion.String(),
+				APIVersion: policiesv1alpha1.GroupVersion.String(),
 				Kind:       "ValidatingPolicy",
 			},
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "foo",
 			},
-			Spec: kyvernov2alpha1.ValidatingPolicySpec{
+			Spec: policiesv1alpha1.ValidatingPolicySpec{
 				ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
 					Variables: []admissionregistrationv1.Variable{{
 						Name:       "environment",
@@ -38,15 +38,15 @@ func Test_compiler_Compile(t *testing.T) {
 		},
 	}, {
 		name: "with configmap",
-		policy: &kyvernov2alpha1.ValidatingPolicy{
+		policy: &policiesv1alpha1.ValidatingPolicy{
 			TypeMeta: metav1.TypeMeta{
-				APIVersion: kyvernov2alpha1.GroupVersion.String(),
+				APIVersion: policiesv1alpha1.GroupVersion.String(),
 				Kind:       "ValidatingPolicy",
 			},
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "foo",
 			},
-			Spec: kyvernov2alpha1.ValidatingPolicySpec{
+			Spec: policiesv1alpha1.ValidatingPolicySpec{
 				ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
 					Variables: []admissionregistrationv1.Variable{{
 						Name:       "cm",

pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/autogenrule.go

@@ -0,0 +1,87 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1 "k8s.io/api/admissionregistration/v1"
+)
+
+// AutogenRuleApplyConfiguration represents an declarative configuration of the AutogenRule type for use
+// with apply.
+type AutogenRuleApplyConfiguration struct {
+	MatchConstraints *v1.MatchResources   `json:"matchConstraints,omitempty"`
+	MatchConditions  []v1.MatchCondition  `json:"matchConditions,omitempty"`
+	Validations      []v1.Validation      `json:"validations,omitempty"`
+	AuditAnnotation  []v1.AuditAnnotation `json:"auditAnnotations,omitempty"`
+	Variables        []v1.Variable        `json:"variables,omitempty"`
+}
+
+// AutogenRuleApplyConfiguration constructs an declarative configuration of the AutogenRule type for use with
+// apply.
+func AutogenRule() *AutogenRuleApplyConfiguration {
+	return &AutogenRuleApplyConfiguration{}
+}
+
+// WithMatchConstraints sets the MatchConstraints field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the MatchConstraints field is set to the value of the last call.
+func (b *AutogenRuleApplyConfiguration) WithMatchConstraints(value v1.MatchResources) *AutogenRuleApplyConfiguration {
+	b.MatchConstraints = &value
+	return b
+}
+
+// WithMatchConditions adds the given value to the MatchConditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the MatchConditions field.
+func (b *AutogenRuleApplyConfiguration) WithMatchConditions(values ...v1.MatchCondition) *AutogenRuleApplyConfiguration {
+	for i := range values {
+		b.MatchConditions = append(b.MatchConditions, values[i])
+	}
+	return b
+}
+
+// WithValidations adds the given value to the Validations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Validations field.
+func (b *AutogenRuleApplyConfiguration) WithValidations(values ...v1.Validation) *AutogenRuleApplyConfiguration {
+	for i := range values {
+		b.Validations = append(b.Validations, values[i])
+	}
+	return b
+}
+
+// WithAuditAnnotation adds the given value to the AuditAnnotation field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the AuditAnnotation field.
+func (b *AutogenRuleApplyConfiguration) WithAuditAnnotation(values ...v1.AuditAnnotation) *AutogenRuleApplyConfiguration {
+	for i := range values {
+		b.AuditAnnotation = append(b.AuditAnnotation, values[i])
+	}
+	return b
+}
+
+// WithVariables adds the given value to the Variables field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Variables field.
+func (b *AutogenRuleApplyConfiguration) WithVariables(values ...v1.Variable) *AutogenRuleApplyConfiguration {
+	for i := range values {
+		b.Variables = append(b.Variables, values[i])
+	}
+	return b
+}

pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/autogenstatus.go

@@ -0,0 +1,44 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// AutogenStatusApplyConfiguration represents an declarative configuration of the AutogenStatus type for use
+// with apply.
+type AutogenStatusApplyConfiguration struct {
+	Rules []AutogenRuleApplyConfiguration `json:"rules,omitempty"`
+}
+
+// AutogenStatusApplyConfiguration constructs an declarative configuration of the AutogenStatus type for use with
+// apply.
+func AutogenStatus() *AutogenStatusApplyConfiguration {
+	return &AutogenStatusApplyConfiguration{}
+}
+
+// WithRules adds the given value to the Rules field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Rules field.
+func (b *AutogenStatusApplyConfiguration) WithRules(values ...*AutogenRuleApplyConfiguration) *AutogenStatusApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithRules")
+		}
+		b.Rules = append(b.Rules, *values[i])
+	}
+	return b
+}

pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/celpolicyexception.go

@@ -0,0 +1,210 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// CELPolicyExceptionApplyConfiguration represents an declarative configuration of the CELPolicyException type for use
+// with apply.
+type CELPolicyExceptionApplyConfiguration struct {
+	v1.TypeMetaApplyConfiguration    `json:",omitempty,inline"`
+	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
+	Spec                             *CELPolicyExceptionSpecApplyConfiguration `json:"spec,omitempty"`
+}
+
+// CELPolicyException constructs an declarative configuration of the CELPolicyException type for use with
+// apply.
+func CELPolicyException(name, namespace string) *CELPolicyExceptionApplyConfiguration {
+	b := &CELPolicyExceptionApplyConfiguration{}
+	b.WithName(name)
+	b.WithNamespace(namespace)
+	b.WithKind("CELPolicyException")
+	b.WithAPIVersion("policies.kyverno.io/v1alpha1")
+	return b
+}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithKind(value string) *CELPolicyExceptionApplyConfiguration {
+	b.Kind = &value
+	return b
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithAPIVersion(value string) *CELPolicyExceptionApplyConfiguration {
+	b.APIVersion = &value
+	return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithName(value string) *CELPolicyExceptionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Name = &value
+	return b
+}
+
+// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GenerateName field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithGenerateName(value string) *CELPolicyExceptionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.GenerateName = &value
+	return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithNamespace(value string) *CELPolicyExceptionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Namespace = &value
+	return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithUID(value types.UID) *CELPolicyExceptionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.UID = &value
+	return b
+}
+
+// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ResourceVersion field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithResourceVersion(value string) *CELPolicyExceptionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ResourceVersion = &value
+	return b
+}
+
+// WithGeneration sets the Generation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Generation field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithGeneration(value int64) *CELPolicyExceptionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Generation = &value
+	return b
+}
+
+// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CreationTimestamp field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithCreationTimestamp(value metav1.Time) *CELPolicyExceptionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.CreationTimestamp = &value
+	return b
+}
+
+// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *CELPolicyExceptionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.DeletionTimestamp = &value
+	return b
+}
+
+// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *CELPolicyExceptionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.DeletionGracePeriodSeconds = &value
+	return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *CELPolicyExceptionApplyConfiguration) WithLabels(entries map[string]string) *CELPolicyExceptionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.Labels == nil && len(entries) > 0 {
+		b.Labels = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.Labels[k] = v
+	}
+	return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *CELPolicyExceptionApplyConfiguration) WithAnnotations(entries map[string]string) *CELPolicyExceptionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.Annotations == nil && len(entries) > 0 {
+		b.Annotations = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.Annotations[k] = v
+	}
+	return b
+}
+
+// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
+func (b *CELPolicyExceptionApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *CELPolicyExceptionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithOwnerReferences")
+		}
+		b.OwnerReferences = append(b.OwnerReferences, *values[i])
+	}
+	return b
+}
+
+// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Finalizers field.
+func (b *CELPolicyExceptionApplyConfiguration) WithFinalizers(values ...string) *CELPolicyExceptionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		b.Finalizers = append(b.Finalizers, values[i])
+	}
+	return b
+}
+
+func (b *CELPolicyExceptionApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+	if b.ObjectMetaApplyConfiguration == nil {
+		b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
+	}
+}
+
+// WithSpec sets the Spec field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Spec field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithSpec(value *CELPolicyExceptionSpecApplyConfiguration) *CELPolicyExceptionApplyConfiguration {
+	b.Spec = value
+	return b
+}

pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/celpolicyexceptionspec.go

@@ -0,0 +1,59 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1 "k8s.io/api/admissionregistration/v1"
+)
+
+// CELPolicyExceptionSpecApplyConfiguration represents an declarative configuration of the CELPolicyExceptionSpec type for use
+// with apply.
+type CELPolicyExceptionSpecApplyConfiguration struct {
+	PolicyRefs      []PolicyRefApplyConfiguration `json:"policyRefs,omitempty"`
+	MatchConditions []v1.MatchCondition           `json:"matchConditions,omitempty"`
+}
+
+// CELPolicyExceptionSpecApplyConfiguration constructs an declarative configuration of the CELPolicyExceptionSpec type for use with
+// apply.
+func CELPolicyExceptionSpec() *CELPolicyExceptionSpecApplyConfiguration {
+	return &CELPolicyExceptionSpecApplyConfiguration{}
+}
+
+// WithPolicyRefs adds the given value to the PolicyRefs field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the PolicyRefs field.
+func (b *CELPolicyExceptionSpecApplyConfiguration) WithPolicyRefs(values ...*PolicyRefApplyConfiguration) *CELPolicyExceptionSpecApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithPolicyRefs")
+		}
+		b.PolicyRefs = append(b.PolicyRefs, *values[i])
+	}
+	return b
+}
+
+// WithMatchConditions adds the given value to the MatchConditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the MatchConditions field.
+func (b *CELPolicyExceptionSpecApplyConfiguration) WithMatchConditions(values ...v1.MatchCondition) *CELPolicyExceptionSpecApplyConfiguration {
+	for i := range values {
+		b.MatchConditions = append(b.MatchConditions, values[i])
+	}
+	return b
+}

pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/policyref.go

@@ -0,0 +1,48 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// PolicyRefApplyConfiguration represents an declarative configuration of the PolicyRef type for use
+// with apply.
+type PolicyRefApplyConfiguration struct {
+	Name *string `json:"name,omitempty"`
+	Kind *string `json:"kind,omitempty"`
+}
+
+// PolicyRefApplyConfiguration constructs an declarative configuration of the PolicyRef type for use with
+// apply.
+func PolicyRef() *PolicyRefApplyConfiguration {
+	return &PolicyRefApplyConfiguration{}
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *PolicyRefApplyConfiguration) WithName(value string) *PolicyRefApplyConfiguration {
+	b.Name = &value
+	return b
+}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *PolicyRefApplyConfiguration) WithKind(value string) *PolicyRefApplyConfiguration {
+	b.Kind = &value
+	return b
+}

pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/policystatus.go

@@ -25,8 +25,9 @@ import (
 // PolicyStatusApplyConfiguration represents an declarative configuration of the PolicyStatus type for use
 // with apply.
 type PolicyStatusApplyConfiguration struct {
-	Ready      *bool          `json:"ready,omitempty"`
+	Ready      *bool                            `json:"ready,omitempty"`
-	Conditions []v1.Condition `json:"conditions,omitempty"`
+	Conditions []v1.Condition                   `json:"conditions,omitempty"`
+	Autogen    *AutogenStatusApplyConfiguration `json:"autogen,omitempty"`
 }
 
 // PolicyStatusApplyConfiguration constructs an declarative configuration of the PolicyStatus type for use with
@@ -52,3 +53,11 @@ func (b *PolicyStatusApplyConfiguration) WithConditions(values ...v1.Condition)
 	}
 	return b
 }
+
+// WithAutogen sets the Autogen field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Autogen field is set to the value of the last call.
+func (b *PolicyStatusApplyConfiguration) WithAutogen(value *AutogenStatusApplyConfiguration) *PolicyStatusApplyConfiguration {
+	b.Autogen = value
+	return b
+}

pkg/client/applyconfigurations/utils.go

@@ -273,6 +273,16 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &kyvernov2beta1.ValidationApplyConfiguration{}
 
 		// Group=policies.kyverno.io, Version=v1alpha1
+	case v1alpha1.SchemeGroupVersion.WithKind("AutogenRule"):
+		return &policieskyvernoiov1alpha1.AutogenRuleApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("AutogenStatus"):
+		return &policieskyvernoiov1alpha1.AutogenStatusApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("CELPolicyException"):
+		return &policieskyvernoiov1alpha1.CELPolicyExceptionApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("CELPolicyExceptionSpec"):
+		return &policieskyvernoiov1alpha1.CELPolicyExceptionSpecApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("PolicyRef"):
+		return &policieskyvernoiov1alpha1.PolicyRefApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("PolicyStatus"):
 		return &policieskyvernoiov1alpha1.PolicyStatusApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("ValidatingPolicy"):

pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/celpolicyexception.go

@@ -0,0 +1,178 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	"time"
+
+	v1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
+	scheme "github.com/kyverno/kyverno/pkg/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// CELPolicyExceptionsGetter has a method to return a CELPolicyExceptionInterface.
+// A group's client should implement this interface.
+type CELPolicyExceptionsGetter interface {
+	CELPolicyExceptions(namespace string) CELPolicyExceptionInterface
+}
+
+// CELPolicyExceptionInterface has methods to work with CELPolicyException resources.
+type CELPolicyExceptionInterface interface {
+	Create(ctx context.Context, cELPolicyException *v1alpha1.CELPolicyException, opts v1.CreateOptions) (*v1alpha1.CELPolicyException, error)
+	Update(ctx context.Context, cELPolicyException *v1alpha1.CELPolicyException, opts v1.UpdateOptions) (*v1alpha1.CELPolicyException, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.CELPolicyException, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.CELPolicyExceptionList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CELPolicyException, err error)
+	CELPolicyExceptionExpansion
+}
+
+// cELPolicyExceptions implements CELPolicyExceptionInterface
+type cELPolicyExceptions struct {
+	client rest.Interface
+	ns     string
+}
+
+// newCELPolicyExceptions returns a CELPolicyExceptions
+func newCELPolicyExceptions(c *PoliciesV1alpha1Client, namespace string) *cELPolicyExceptions {
+	return &cELPolicyExceptions{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the cELPolicyException, and returns the corresponding cELPolicyException object, and an error if there is any.
+func (c *cELPolicyExceptions) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CELPolicyException, err error) {
+	result = &v1alpha1.CELPolicyException{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("celpolicyexceptions").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of CELPolicyExceptions that match those selectors.
+func (c *cELPolicyExceptions) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CELPolicyExceptionList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.CELPolicyExceptionList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("celpolicyexceptions").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested cELPolicyExceptions.
+func (c *cELPolicyExceptions) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("celpolicyexceptions").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a cELPolicyException and creates it.  Returns the server's representation of the cELPolicyException, and an error, if there is any.
+func (c *cELPolicyExceptions) Create(ctx context.Context, cELPolicyException *v1alpha1.CELPolicyException, opts v1.CreateOptions) (result *v1alpha1.CELPolicyException, err error) {
+	result = &v1alpha1.CELPolicyException{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("celpolicyexceptions").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(cELPolicyException).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a cELPolicyException and updates it. Returns the server's representation of the cELPolicyException, and an error, if there is any.
+func (c *cELPolicyExceptions) Update(ctx context.Context, cELPolicyException *v1alpha1.CELPolicyException, opts v1.UpdateOptions) (result *v1alpha1.CELPolicyException, err error) {
+	result = &v1alpha1.CELPolicyException{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("celpolicyexceptions").
+		Name(cELPolicyException.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(cELPolicyException).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the cELPolicyException and deletes it. Returns an error if one occurs.
+func (c *cELPolicyExceptions) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("celpolicyexceptions").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *cELPolicyExceptions) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("celpolicyexceptions").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched cELPolicyException.
+func (c *cELPolicyExceptions) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CELPolicyException, err error) {
+	result = &v1alpha1.CELPolicyException{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("celpolicyexceptions").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}

pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/fake/fake_celpolicyexception.go

@@ -0,0 +1,129 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeCELPolicyExceptions implements CELPolicyExceptionInterface
+type FakeCELPolicyExceptions struct {
+	Fake *FakePoliciesV1alpha1
+	ns   string
+}
+
+var celpolicyexceptionsResource = v1alpha1.SchemeGroupVersion.WithResource("celpolicyexceptions")
+
+var celpolicyexceptionsKind = v1alpha1.SchemeGroupVersion.WithKind("CELPolicyException")
+
+// Get takes name of the cELPolicyException, and returns the corresponding cELPolicyException object, and an error if there is any.
+func (c *FakeCELPolicyExceptions) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CELPolicyException, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(celpolicyexceptionsResource, c.ns, name), &v1alpha1.CELPolicyException{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CELPolicyException), err
+}
+
+// List takes label and field selectors, and returns the list of CELPolicyExceptions that match those selectors.
+func (c *FakeCELPolicyExceptions) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CELPolicyExceptionList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(celpolicyexceptionsResource, celpolicyexceptionsKind, c.ns, opts), &v1alpha1.CELPolicyExceptionList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.CELPolicyExceptionList{ListMeta: obj.(*v1alpha1.CELPolicyExceptionList).ListMeta}
+	for _, item := range obj.(*v1alpha1.CELPolicyExceptionList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested cELPolicyExceptions.
+func (c *FakeCELPolicyExceptions) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(celpolicyexceptionsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a cELPolicyException and creates it.  Returns the server's representation of the cELPolicyException, and an error, if there is any.
+func (c *FakeCELPolicyExceptions) Create(ctx context.Context, cELPolicyException *v1alpha1.CELPolicyException, opts v1.CreateOptions) (result *v1alpha1.CELPolicyException, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(celpolicyexceptionsResource, c.ns, cELPolicyException), &v1alpha1.CELPolicyException{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CELPolicyException), err
+}
+
+// Update takes the representation of a cELPolicyException and updates it. Returns the server's representation of the cELPolicyException, and an error, if there is any.
+func (c *FakeCELPolicyExceptions) Update(ctx context.Context, cELPolicyException *v1alpha1.CELPolicyException, opts v1.UpdateOptions) (result *v1alpha1.CELPolicyException, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(celpolicyexceptionsResource, c.ns, cELPolicyException), &v1alpha1.CELPolicyException{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CELPolicyException), err
+}
+
+// Delete takes name of the cELPolicyException and deletes it. Returns an error if one occurs.
+func (c *FakeCELPolicyExceptions) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteActionWithOptions(celpolicyexceptionsResource, c.ns, name, opts), &v1alpha1.CELPolicyException{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeCELPolicyExceptions) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(celpolicyexceptionsResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.CELPolicyExceptionList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched cELPolicyException.
+func (c *FakeCELPolicyExceptions) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CELPolicyException, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(celpolicyexceptionsResource, c.ns, name, pt, data, subresources...), &v1alpha1.CELPolicyException{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CELPolicyException), err
+}

pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/fake/fake_policies.kyverno.io_client.go

@@ -28,6 +28,10 @@ type FakePoliciesV1alpha1 struct {
 	*testing.Fake
 }
 
+func (c *FakePoliciesV1alpha1) CELPolicyExceptions(namespace string) v1alpha1.CELPolicyExceptionInterface {
+	return &FakeCELPolicyExceptions{c, namespace}
+}
+
 func (c *FakePoliciesV1alpha1) ValidatingPolicies() v1alpha1.ValidatingPolicyInterface {
 	return &FakeValidatingPolicies{c}
 }

pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/generated_expansion.go

@@ -18,4 +18,6 @@ limitations under the License.
 
 package v1alpha1
 
+type CELPolicyExceptionExpansion interface{}
+
 type ValidatingPolicyExpansion interface{}

pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/policies.kyverno.io_client.go

@@ -28,6 +28,7 @@ import (
 
 type PoliciesV1alpha1Interface interface {
 	RESTClient() rest.Interface
+	CELPolicyExceptionsGetter
 	ValidatingPoliciesGetter
 }
 
@@ -36,6 +37,10 @@ type PoliciesV1alpha1Client struct {
 	restClient rest.Interface
 }
 
+func (c *PoliciesV1alpha1Client) CELPolicyExceptions(namespace string) CELPolicyExceptionInterface {
+	return newCELPolicyExceptions(c, namespace)
+}
+
 func (c *PoliciesV1alpha1Client) ValidatingPolicies() ValidatingPolicyInterface {
 	return newValidatingPolicies(c)
 }

pkg/client/informers/externalversions/generic.go

@@ -82,6 +82,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2alpha1().ValidatingPolicies().Informer()}, nil
 
 		// Group=policies.kyverno.io, Version=v1alpha1
+	case v1alpha1.SchemeGroupVersion.WithResource("celpolicyexceptions"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Policies().V1alpha1().CELPolicyExceptions().Informer()}, nil
 	case v1alpha1.SchemeGroupVersion.WithResource("validatingpolicies"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Policies().V1alpha1().ValidatingPolicies().Informer()}, nil
 

pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1/celpolicyexception.go

@@ -0,0 +1,90 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	time "time"
+
+	policieskyvernoiov1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
+	versioned "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
+	internalinterfaces "github.com/kyverno/kyverno/pkg/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "github.com/kyverno/kyverno/pkg/client/listers/policies.kyverno.io/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// CELPolicyExceptionInformer provides access to a shared informer and lister for
+// CELPolicyExceptions.
+type CELPolicyExceptionInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.CELPolicyExceptionLister
+}
+
+type cELPolicyExceptionInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewCELPolicyExceptionInformer constructs a new informer for CELPolicyException type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewCELPolicyExceptionInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredCELPolicyExceptionInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredCELPolicyExceptionInformer constructs a new informer for CELPolicyException type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredCELPolicyExceptionInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.PoliciesV1alpha1().CELPolicyExceptions(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.PoliciesV1alpha1().CELPolicyExceptions(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&policieskyvernoiov1alpha1.CELPolicyException{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *cELPolicyExceptionInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredCELPolicyExceptionInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *cELPolicyExceptionInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&policieskyvernoiov1alpha1.CELPolicyException{}, f.defaultInformer)
+}
+
+func (f *cELPolicyExceptionInformer) Lister() v1alpha1.CELPolicyExceptionLister {
+	return v1alpha1.NewCELPolicyExceptionLister(f.Informer().GetIndexer())
+}

pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1/interface.go

@@ -24,6 +24,8 @@ import (
 
 // Interface provides access to all the informers in this group version.
 type Interface interface {
+	// CELPolicyExceptions returns a CELPolicyExceptionInformer.
+	CELPolicyExceptions() CELPolicyExceptionInformer
 	// ValidatingPolicies returns a ValidatingPolicyInformer.
 	ValidatingPolicies() ValidatingPolicyInformer
 }
@@ -39,6 +41,11 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
 
+// CELPolicyExceptions returns a CELPolicyExceptionInformer.
+func (v *version) CELPolicyExceptions() CELPolicyExceptionInformer {
+	return &cELPolicyExceptionInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
+
 // ValidatingPolicies returns a ValidatingPolicyInformer.
 func (v *version) ValidatingPolicies() ValidatingPolicyInformer {
 	return &validatingPolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}

pkg/client/listers/policies.kyverno.io/v1alpha1/celpolicyexception.go

@@ -0,0 +1,99 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// CELPolicyExceptionLister helps list CELPolicyExceptions.
+// All objects returned here must be treated as read-only.
+type CELPolicyExceptionLister interface {
+	// List lists all CELPolicyExceptions in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.CELPolicyException, err error)
+	// CELPolicyExceptions returns an object that can list and get CELPolicyExceptions.
+	CELPolicyExceptions(namespace string) CELPolicyExceptionNamespaceLister
+	CELPolicyExceptionListerExpansion
+}
+
+// cELPolicyExceptionLister implements the CELPolicyExceptionLister interface.
+type cELPolicyExceptionLister struct {
+	indexer cache.Indexer
+}
+
+// NewCELPolicyExceptionLister returns a new CELPolicyExceptionLister.
+func NewCELPolicyExceptionLister(indexer cache.Indexer) CELPolicyExceptionLister {
+	return &cELPolicyExceptionLister{indexer: indexer}
+}
+
+// List lists all CELPolicyExceptions in the indexer.
+func (s *cELPolicyExceptionLister) List(selector labels.Selector) (ret []*v1alpha1.CELPolicyException, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.CELPolicyException))
+	})
+	return ret, err
+}
+
+// CELPolicyExceptions returns an object that can list and get CELPolicyExceptions.
+func (s *cELPolicyExceptionLister) CELPolicyExceptions(namespace string) CELPolicyExceptionNamespaceLister {
+	return cELPolicyExceptionNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// CELPolicyExceptionNamespaceLister helps list and get CELPolicyExceptions.
+// All objects returned here must be treated as read-only.
+type CELPolicyExceptionNamespaceLister interface {
+	// List lists all CELPolicyExceptions in the indexer for a given namespace.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.CELPolicyException, err error)
+	// Get retrieves the CELPolicyException from the indexer for a given namespace and name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*v1alpha1.CELPolicyException, error)
+	CELPolicyExceptionNamespaceListerExpansion
+}
+
+// cELPolicyExceptionNamespaceLister implements the CELPolicyExceptionNamespaceLister
+// interface.
+type cELPolicyExceptionNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all CELPolicyExceptions in the indexer for a given namespace.
+func (s cELPolicyExceptionNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.CELPolicyException, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.CELPolicyException))
+	})
+	return ret, err
+}
+
+// Get retrieves the CELPolicyException from the indexer for a given namespace and name.
+func (s cELPolicyExceptionNamespaceLister) Get(name string) (*v1alpha1.CELPolicyException, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("celpolicyexception"), name)
+	}
+	return obj.(*v1alpha1.CELPolicyException), nil
+}

pkg/client/listers/policies.kyverno.io/v1alpha1/expansion_generated.go

@@ -18,6 +18,14 @@ limitations under the License.
 
 package v1alpha1
 
+// CELPolicyExceptionListerExpansion allows custom methods to be added to
+// CELPolicyExceptionLister.
+type CELPolicyExceptionListerExpansion interface{}
+
+// CELPolicyExceptionNamespaceListerExpansion allows custom methods to be added to
+// CELPolicyExceptionNamespaceLister.
+type CELPolicyExceptionNamespaceListerExpansion interface{}
+
 // ValidatingPolicyListerExpansion allows custom methods to be added to
 // ValidatingPolicyLister.
 type ValidatingPolicyListerExpansion interface{}

pkg/clients/kyverno/policiesv1alpha1/celpolicyexceptions/resource.generated.go

@@ -0,0 +1,337 @@
+package resource
+
+import (
+	context "context"
+	"fmt"
+	"time"
+
+	"github.com/go-logr/logr"
+	github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
+	github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1"
+	"github.com/kyverno/kyverno/pkg/metrics"
+	"github.com/kyverno/kyverno/pkg/tracing"
+	"go.opentelemetry.io/otel/trace"
+	"go.uber.org/multierr"
+	k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
+	k8s_io_apimachinery_pkg_watch "k8s.io/apimachinery/pkg/watch"
+)
+
+func WithLogging(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface, logger logr.Logger) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface {
+	return &withLogging{inner, logger}
+}
+
+func WithMetrics(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface, recorder metrics.Recorder) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface {
+	return &withMetrics{inner, recorder}
+}
+
+func WithTracing(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface, client, kind string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface {
+	return &withTracing{inner, client, kind}
+}
+
+type withLogging struct {
+	inner  github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface
+	logger logr.Logger
+}
+
+func (c *withLogging) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "Create")
+	ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
+	if err := multierr.Combine(ret1); err != nil {
+		logger.Error(err, "Create failed", "duration", time.Since(start))
+	} else {
+		logger.Info("Create done", "duration", time.Since(start))
+	}
+	return ret0, ret1
+}
+func (c *withLogging) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "Delete")
+	ret0 := c.inner.Delete(arg0, arg1, arg2)
+	if err := multierr.Combine(ret0); err != nil {
+		logger.Error(err, "Delete failed", "duration", time.Since(start))
+	} else {
+		logger.Info("Delete done", "duration", time.Since(start))
+	}
+	return ret0
+}
+func (c *withLogging) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "DeleteCollection")
+	ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
+	if err := multierr.Combine(ret0); err != nil {
+		logger.Error(err, "DeleteCollection failed", "duration", time.Since(start))
+	} else {
+		logger.Info("DeleteCollection done", "duration", time.Since(start))
+	}
+	return ret0
+}
+func (c *withLogging) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "Get")
+	ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
+	if err := multierr.Combine(ret1); err != nil {
+		logger.Error(err, "Get failed", "duration", time.Since(start))
+	} else {
+		logger.Info("Get done", "duration", time.Since(start))
+	}
+	return ret0, ret1
+}
+func (c *withLogging) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyExceptionList, error) {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "List")
+	ret0, ret1 := c.inner.List(arg0, arg1)
+	if err := multierr.Combine(ret1); err != nil {
+		logger.Error(err, "List failed", "duration", time.Since(start))
+	} else {
+		logger.Info("List done", "duration", time.Since(start))
+	}
+	return ret0, ret1
+}
+func (c *withLogging) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "Patch")
+	ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
+	if err := multierr.Combine(ret1); err != nil {
+		logger.Error(err, "Patch failed", "duration", time.Since(start))
+	} else {
+		logger.Info("Patch done", "duration", time.Since(start))
+	}
+	return ret0, ret1
+}
+func (c *withLogging) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "Update")
+	ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
+	if err := multierr.Combine(ret1); err != nil {
+		logger.Error(err, "Update failed", "duration", time.Since(start))
+	} else {
+		logger.Info("Update done", "duration", time.Since(start))
+	}
+	return ret0, ret1
+}
+func (c *withLogging) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "Watch")
+	ret0, ret1 := c.inner.Watch(arg0, arg1)
+	if err := multierr.Combine(ret1); err != nil {
+		logger.Error(err, "Watch failed", "duration", time.Since(start))
+	} else {
+		logger.Info("Watch done", "duration", time.Since(start))
+	}
+	return ret0, ret1
+}
+
+type withMetrics struct {
+	inner    github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface
+	recorder metrics.Recorder
+}
+
+func (c *withMetrics) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+	defer c.recorder.RecordWithContext(arg0, "create")
+	return c.inner.Create(arg0, arg1, arg2)
+}
+func (c *withMetrics) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
+	defer c.recorder.RecordWithContext(arg0, "delete")
+	return c.inner.Delete(arg0, arg1, arg2)
+}
+func (c *withMetrics) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
+	defer c.recorder.RecordWithContext(arg0, "delete_collection")
+	return c.inner.DeleteCollection(arg0, arg1, arg2)
+}
+func (c *withMetrics) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+	defer c.recorder.RecordWithContext(arg0, "get")
+	return c.inner.Get(arg0, arg1, arg2)
+}
+func (c *withMetrics) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyExceptionList, error) {
+	defer c.recorder.RecordWithContext(arg0, "list")
+	return c.inner.List(arg0, arg1)
+}
+func (c *withMetrics) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+	defer c.recorder.RecordWithContext(arg0, "patch")
+	return c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
+}
+func (c *withMetrics) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+	defer c.recorder.RecordWithContext(arg0, "update")
+	return c.inner.Update(arg0, arg1, arg2)
+}
+func (c *withMetrics) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
+	defer c.recorder.RecordWithContext(arg0, "watch")
+	return c.inner.Watch(arg0, arg1)
+}
+
+type withTracing struct {
+	inner  github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface
+	client string
+	kind   string
+}
+
+func (c *withTracing) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Create"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("Create"),
+			),
+		)
+		defer span.End()
+	}
+	ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret1)
+	}
+	return ret0, ret1
+}
+func (c *withTracing) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Delete"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("Delete"),
+			),
+		)
+		defer span.End()
+	}
+	ret0 := c.inner.Delete(arg0, arg1, arg2)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret0)
+	}
+	return ret0
+}
+func (c *withTracing) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "DeleteCollection"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("DeleteCollection"),
+			),
+		)
+		defer span.End()
+	}
+	ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret0)
+	}
+	return ret0
+}
+func (c *withTracing) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Get"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("Get"),
+			),
+		)
+		defer span.End()
+	}
+	ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret1)
+	}
+	return ret0, ret1
+}
+func (c *withTracing) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyExceptionList, error) {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "List"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("List"),
+			),
+		)
+		defer span.End()
+	}
+	ret0, ret1 := c.inner.List(arg0, arg1)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret1)
+	}
+	return ret0, ret1
+}
+func (c *withTracing) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Patch"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("Patch"),
+			),
+		)
+		defer span.End()
+	}
+	ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret1)
+	}
+	return ret0, ret1
+}
+func (c *withTracing) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Update"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("Update"),
+			),
+		)
+		defer span.End()
+	}
+	ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret1)
+	}
+	return ret0, ret1
+}
+func (c *withTracing) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Watch"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("Watch"),
+			),
+		)
+		defer span.End()
+	}
+	ret0, ret1 := c.inner.Watch(arg0, arg1)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret1)
+	}
+	return ret0, ret1
+}

pkg/clients/kyverno/policiesv1alpha1/client.generated.go

@@ -3,6 +3,7 @@ package client
 import (
 	"github.com/go-logr/logr"
 	github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1"
+	celpolicyexceptions "github.com/kyverno/kyverno/pkg/clients/kyverno/policiesv1alpha1/celpolicyexceptions"
 	validatingpolicies "github.com/kyverno/kyverno/pkg/clients/kyverno/policiesv1alpha1/validatingpolicies"
 	"github.com/kyverno/kyverno/pkg/metrics"
 	"k8s.io/client-go/rest"
@@ -29,6 +30,10 @@ type withMetrics struct {
 func (c *withMetrics) RESTClient() rest.Interface {
 	return c.inner.RESTClient()
 }
+func (c *withMetrics) CELPolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface {
+	recorder := metrics.NamespacedClientQueryRecorder(c.metrics, namespace, "CELPolicyException", c.clientType)
+	return celpolicyexceptions.WithMetrics(c.inner.CELPolicyExceptions(namespace), recorder)
+}
 func (c *withMetrics) ValidatingPolicies() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.ValidatingPolicyInterface {
 	recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "ValidatingPolicy", c.clientType)
 	return validatingpolicies.WithMetrics(c.inner.ValidatingPolicies(), recorder)
@@ -42,6 +47,9 @@ type withTracing struct {
 func (c *withTracing) RESTClient() rest.Interface {
 	return c.inner.RESTClient()
 }
+func (c *withTracing) CELPolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface {
+	return celpolicyexceptions.WithTracing(c.inner.CELPolicyExceptions(namespace), c.client, "CELPolicyException")
+}
 func (c *withTracing) ValidatingPolicies() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.ValidatingPolicyInterface {
 	return validatingpolicies.WithTracing(c.inner.ValidatingPolicies(), c.client, "ValidatingPolicy")
 }
@@ -54,6 +62,9 @@ type withLogging struct {
 func (c *withLogging) RESTClient() rest.Interface {
 	return c.inner.RESTClient()
 }
+func (c *withLogging) CELPolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface {
+	return celpolicyexceptions.WithLogging(c.inner.CELPolicyExceptions(namespace), c.logger.WithValues("resource", "CELPolicyExceptions").WithValues("namespace", namespace))
+}
 func (c *withLogging) ValidatingPolicies() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.ValidatingPolicyInterface {
 	return validatingpolicies.WithLogging(c.inner.ValidatingPolicies(), c.logger.WithValues("resource", "ValidatingPolicies"))
 }

pkg/controllers/report/aggregate/controller.go

@@ -12,9 +12,9 @@ import (
 	"github.com/kyverno/kyverno/pkg/autogen"
 	"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
 	kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
-	kyvernov2alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2alpha1"
+	policiesv1alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1"
 	kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
-	kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
+	policiesv1alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/policies.kyverno.io/v1alpha1"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/controllers"
 	controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
@@ -52,7 +52,7 @@ type controller struct {
 	// listers
 	polLister   kyvernov1listers.PolicyLister
 	cpolLister  kyvernov1listers.ClusterPolicyLister
-	vpolLister  kyvernov2alpha1listers.ValidatingPolicyLister
+	vpolLister  policiesv1alpha1listers.ValidatingPolicyLister
 	vapLister   admissionregistrationv1listers.ValidatingAdmissionPolicyLister
 	ephrLister  cache.GenericLister
 	cephrLister cache.GenericLister
@@ -73,7 +73,7 @@ func NewController(
 	metadataFactory metadatainformers.SharedInformerFactory,
 	polInformer kyvernov1informers.PolicyInformer,
 	cpolInformer kyvernov1informers.ClusterPolicyInformer,
-	vpolInformer kyvernov2alpha1informers.ValidatingPolicyInformer,
+	vpolInformer policiesv1alpha1informers.ValidatingPolicyInformer,
 	vapInformer admissionregistrationv1informers.ValidatingAdmissionPolicyInformer,
 ) controllers.Controller {
 	ephrInformer := metadataFactory.ForResource(reportsv1.SchemeGroupVersion.WithResource("ephemeralreports"))

pkg/controllers/report/background/controller.go

@@ -8,17 +8,17 @@ import (
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
-	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+	policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
 	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
 	reportsv1 "github.com/kyverno/kyverno/api/reports/v1"
 	"github.com/kyverno/kyverno/pkg/breaker"
 	"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
 	kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
 	kyvernov2informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2"
-	kyvernov2alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2alpha1"
+	policiesv1alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1"
 	kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
 	kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
-	kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
+	policiesv1alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/policies.kyverno.io/v1alpha1"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/controllers"
@@ -63,7 +63,7 @@ type controller struct {
 	// listers
 	polLister        kyvernov1listers.PolicyLister
 	cpolLister       kyvernov1listers.ClusterPolicyLister
-	vpolLister       kyvernov2alpha1listers.ValidatingPolicyLister
+	vpolLister       policiesv1alpha1listers.ValidatingPolicyLister
 	polexLister      kyvernov2listers.PolicyExceptionLister
 	vapLister        admissionregistrationv1listers.ValidatingAdmissionPolicyLister
 	vapBindingLister admissionregistrationv1listers.ValidatingAdmissionPolicyBindingLister
@@ -94,7 +94,7 @@ func NewController(
 	metadataFactory metadatainformers.SharedInformerFactory,
 	polInformer kyvernov1informers.PolicyInformer,
 	cpolInformer kyvernov1informers.ClusterPolicyInformer,
-	vpolInformer kyvernov2alpha1informers.ValidatingPolicyInformer,
+	vpolInformer policiesv1alpha1informers.ValidatingPolicyInformer,
 	polexInformer kyvernov2informers.PolicyExceptionInformer,
 	vapInformer admissionregistrationv1informers.ValidatingAdmissionPolicyInformer,
 	vapBindingInformer admissionregistrationv1informers.ValidatingAdmissionPolicyBindingInformer,
@@ -208,17 +208,17 @@ func (c *controller) deleteException(obj *kyvernov2.PolicyException) {
 	c.enqueueResources()
 }
 
-func (c *controller) addVP(obj *kyvernov2alpha1.ValidatingPolicy) {
+func (c *controller) addVP(obj *policiesv1alpha1.ValidatingPolicy) {
 	c.enqueueResources()
 }
 
-func (c *controller) updateVP(old, obj *kyvernov2alpha1.ValidatingPolicy) {
+func (c *controller) updateVP(old, obj *policiesv1alpha1.ValidatingPolicy) {
 	if old.GetResourceVersion() != obj.GetResourceVersion() {
 		c.enqueueResources()
 	}
 }
 
-func (c *controller) deleteVP(obj *kyvernov2alpha1.ValidatingPolicy) {
+func (c *controller) deleteVP(obj *policiesv1alpha1.ValidatingPolicy) {
 	c.enqueueResources()
 }
 

pkg/controllers/report/resource/controller.go

@@ -10,9 +10,9 @@ import (
 	"github.com/go-logr/logr"
 	"github.com/kyverno/kyverno/pkg/admissionpolicy"
 	kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
-	kyvernov2alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2alpha1"
+	policiesv1alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1"
 	kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
-	kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
+	policiesv1alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/policies.kyverno.io/v1alpha1"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/controllers"
 	"github.com/kyverno/kyverno/pkg/controllers/report/utils"
@@ -81,7 +81,7 @@ type controller struct {
 	// listers
 	polLister  kyvernov1listers.PolicyLister
 	cpolLister kyvernov1listers.ClusterPolicyLister
-	vpolLister kyvernov2alpha1listers.ValidatingPolicyLister
+	vpolLister policiesv1alpha1listers.ValidatingPolicyLister
 	vapLister  admissionregistrationv1listers.ValidatingAdmissionPolicyLister
 
 	// queue
@@ -96,7 +96,7 @@ func NewController(
 	client dclient.Interface,
 	polInformer kyvernov1informers.PolicyInformer,
 	cpolInformer kyvernov1informers.ClusterPolicyInformer,
-	vpolInformer kyvernov2alpha1informers.ValidatingPolicyInformer,
+	vpolInformer policiesv1alpha1informers.ValidatingPolicyInformer,
 	vapInformer admissionregistrationv1informers.ValidatingAdmissionPolicyInformer,
 ) Controller {
 	c := controller{

pkg/controllers/report/utils/utils.go

@@ -4,12 +4,12 @@ import (
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
-	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+	policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
 	reportsv1 "github.com/kyverno/kyverno/api/reports/v1"
 	"github.com/kyverno/kyverno/pkg/autogen"
 	kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
 	kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
-	kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
+	policiesv1alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/policies.kyverno.io/v1alpha1"
 	datautils "github.com/kyverno/kyverno/pkg/utils/data"
 	policyvalidation "github.com/kyverno/kyverno/pkg/validation/policy"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
@@ -151,8 +151,8 @@ func FetchValidatingAdmissionPolicyBindings(vapBindingLister admissionregistrati
 	return bindings, nil
 }
 
-func FetchValidatingPolicies(vpolLister kyvernov2alpha1listers.ValidatingPolicyLister) ([]kyvernov2alpha1.ValidatingPolicy, error) {
+func FetchValidatingPolicies(vpolLister policiesv1alpha1listers.ValidatingPolicyLister) ([]policiesv1alpha1.ValidatingPolicy, error) {
-	var policies []kyvernov2alpha1.ValidatingPolicy
+	var policies []policiesv1alpha1.ValidatingPolicy
 	if pols, err := vpolLister.List(labels.Everything()); err != nil {
 		return nil, err
 	} else {

pkg/controllers/webhook/controller.go

@@ -11,14 +11,17 @@ import (
 	"github.com/kyverno/kyverno/api/kyverno"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+	policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
 	"github.com/kyverno/kyverno/ext/wildcard"
 	"github.com/kyverno/kyverno/pkg/autogen"
 	vpolautogen "github.com/kyverno/kyverno/pkg/cel/autogen"
 	"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
 	kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
 	kyvernov2alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2alpha1"
+	policiesv1alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1"
 	kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
 	kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
+	policiesv1alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/policies.kyverno.io/v1alpha1"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/controllers"
@@ -100,7 +103,7 @@ type controller struct {
 	vwcLister         admissionregistrationv1listers.ValidatingWebhookConfigurationLister
 	cpolLister        kyvernov1listers.ClusterPolicyLister
 	polLister         kyvernov1listers.PolicyLister
-	vpolLister        kyvernov2alpha1listers.ValidatingPolicyLister
+	vpolLister        policiesv1alpha1listers.ValidatingPolicyLister
 	deploymentLister  appsv1listers.DeploymentLister
 	secretLister      corev1listers.SecretLister
 	leaseLister       coordinationv1listers.LeaseLister
@@ -143,7 +146,7 @@ func NewController(
 	vwcInformer admissionregistrationv1informers.ValidatingWebhookConfigurationInformer,
 	cpolInformer kyvernov1informers.ClusterPolicyInformer,
 	polInformer kyvernov1informers.PolicyInformer,
-	vpolInformer kyvernov2alpha1informers.ValidatingPolicyInformer,
+	vpolInformer policiesv1alpha1informers.ValidatingPolicyInformer,
 	deploymentInformer appsv1informers.DeploymentInformer,
 	secretInformer corev1informers.SecretInformer,
 	leaseInformer coordinationv1informers.LeaseInformer,
@@ -382,7 +385,7 @@ func (c *controller) recordPolicyState(webhookConfigurationName string, policies
 	}
 }
 
-func (c *controller) recordValidatingPolicyState(validatingpolicies ...kyvernov2alpha1.GenericPolicy) {
+func (c *controller) recordValidatingPolicyState(validatingpolicies ...policiesv1alpha1.GenericPolicy) {
 	c.vpolState = make(map[string]bool)
 	for _, policy := range validatingpolicies {
 		c.vpolState[policy.GetName()] = true
@@ -661,9 +664,9 @@ func (c *controller) updateValidatingPolicyStatuses(ctx context.Context) error {
 		return err
 	}
 
-	updateStatusFunc := func(vpol kyvernov2alpha1.GenericPolicy) error {
+	updateStatusFunc := func(vpol policiesv1alpha1.GenericPolicy) error {
 		status := vpol.GetStatus()
-		status.SetReadyByCondition(kyvernov2alpha1.PolicyConditionTypeWebhookConfigured, metav1.ConditionTrue, "Webhook configured")
+		status.SetReadyByCondition(policiesv1alpha1.PolicyConditionTypeWebhookConfigured, metav1.ConditionTrue, "Webhook configured")
 		status.Autogen.Rules = nil
 		rules := vpolautogen.ComputeRules(vpol)
 		status.Autogen.Rules = append(status.Autogen.Rules, rules...)
@@ -677,12 +680,12 @@ func (c *controller) updateValidatingPolicyStatuses(ctx context.Context) error {
 		}
 		err := controllerutils.UpdateStatus(
 			ctx,
-			vpol.(*kyvernov2alpha1.ValidatingPolicy),
+			vpol.(*policiesv1alpha1.ValidatingPolicy),
-			c.kyvernoClient.KyvernoV2alpha1().ValidatingPolicies(),
+			c.kyvernoClient.PoliciesV1alpha1().ValidatingPolicies(),
-			func(vpol *kyvernov2alpha1.ValidatingPolicy) error {
+			func(vpol *policiesv1alpha1.ValidatingPolicy) error {
 				return updateStatusFunc(vpol)
 			},
-			func(a *kyvernov2alpha1.ValidatingPolicy, b *kyvernov2alpha1.ValidatingPolicy) bool {
+			func(a *policiesv1alpha1.ValidatingPolicy, b *policiesv1alpha1.ValidatingPolicy) bool {
 				return datautils.DeepEqual(a.Status, b.Status)
 			},
 		)
@@ -1136,13 +1139,13 @@ func (c *controller) getAllPolicies() ([]kyvernov1.PolicyInterface, error) {
 	return policies, nil
 }
 
-func (c *controller) getValidatingPolicies() ([]kyvernov2alpha1.GenericPolicy, error) {
+func (c *controller) getValidatingPolicies() ([]policiesv1alpha1.GenericPolicy, error) {
 	validatingpolicies, err := c.vpolLister.List(labels.Everything())
 	if err != nil {
 		return nil, err
 	}
 
-	vpols := make([]kyvernov2alpha1.GenericPolicy, 0)
+	vpols := make([]policiesv1alpha1.GenericPolicy, 0)
 	for _, vpol := range validatingpolicies {
 		vpols = append(vpols, vpol)
 	}

pkg/controllers/webhook/validatingpolicy.go

@@ -1,14 +1,14 @@
 package webhook
 
 import (
-	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+	policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
 	"github.com/kyverno/kyverno/pkg/cel/autogen"
 	"github.com/kyverno/kyverno/pkg/config"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	"k8s.io/utils/ptr"
 )
 
-func buildWebhookRules(cfg config.Configuration, server string, servicePort int32, caBundle []byte, vpols []kyvernov2alpha1.GenericPolicy) (webhooks []admissionregistrationv1.ValidatingWebhook) {
+func buildWebhookRules(cfg config.Configuration, server string, servicePort int32, caBundle []byte, vpols []policiesv1alpha1.GenericPolicy) (webhooks []admissionregistrationv1.ValidatingWebhook) {
 	var (
 		webhookIgnoreList []admissionregistrationv1.ValidatingWebhook
 		webhookFailList   []admissionregistrationv1.ValidatingWebhook
@@ -49,7 +49,7 @@ func buildWebhookRules(cfg config.Configuration, server string, servicePort int3
 			webhook.Rules = append(webhook.Rules, match.RuleWithOperations)
 		}
 
-		for _, rule := range autogen.ComputeRules(vpol.(*kyvernov2alpha1.ValidatingPolicy)) {
+		for _, rule := range autogen.ComputeRules(vpol.(*policiesv1alpha1.ValidatingPolicy)) {
 			for _, match := range rule.MatchConstraints.ResourceRules {
 				webhook.Rules = append(webhook.Rules, match.RuleWithOperations)
 			}

pkg/controllers/webhook/validatingpolicy_test.go

@@ -3,7 +3,7 @@ package webhook
 import (
 	"testing"
 
-	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+	policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/stretchr/testify/assert"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
@@ -14,14 +14,14 @@ import (
 func TestBuildWebhookRules(t *testing.T) {
 	tests := []struct {
 		name             string
-		vpols            []*kyvernov2alpha1.ValidatingPolicy
+		vpols            []*policiesv1alpha1.ValidatingPolicy
 		expectedWebhooks []admissionregistrationv1.ValidatingWebhook
 	}{
 		{
 			name: "Single Ignore Policy",
-			vpols: []*kyvernov2alpha1.ValidatingPolicy{
+			vpols: []*policiesv1alpha1.ValidatingPolicy{
 				{
-					Spec: kyvernov2alpha1.ValidatingPolicySpec{
+					Spec: policiesv1alpha1.ValidatingPolicySpec{
 						ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
 							FailurePolicy: ptr.To(admissionregistrationv1.Ignore),
 							MatchConstraints: &admissionregistrationv1.MatchResources{
@@ -63,9 +63,9 @@ func TestBuildWebhookRules(t *testing.T) {
 		},
 		{
 			name: "Single Fail Policy",
-			vpols: []*kyvernov2alpha1.ValidatingPolicy{
+			vpols: []*policiesv1alpha1.ValidatingPolicy{
 				{
-					Spec: kyvernov2alpha1.ValidatingPolicySpec{
+					Spec: policiesv1alpha1.ValidatingPolicySpec{
 						ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
 							FailurePolicy: ptr.To(admissionregistrationv1.Fail),
 							MatchConstraints: &admissionregistrationv1.MatchResources{
@@ -107,13 +107,13 @@ func TestBuildWebhookRules(t *testing.T) {
 		},
 		{
 			name: "Fine-Grained Ignore Policy",
-			vpols: []*kyvernov2alpha1.ValidatingPolicy{
+			vpols: []*policiesv1alpha1.ValidatingPolicy{
 				{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-fine-grained-ignore",
 					},
-					Spec: kyvernov2alpha1.ValidatingPolicySpec{
+					Spec: policiesv1alpha1.ValidatingPolicySpec{
-						WebhookConfiguration: &kyvernov2alpha1.WebhookConfiguration{
+						WebhookConfiguration: &policiesv1alpha1.WebhookConfiguration{
 							TimeoutSeconds: ptr.To(int32(30)),
 						},
 						ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
@@ -161,13 +161,13 @@ func TestBuildWebhookRules(t *testing.T) {
 		},
 		{
 			name: "Fine-Grained Fail Policy",
-			vpols: []*kyvernov2alpha1.ValidatingPolicy{
+			vpols: []*policiesv1alpha1.ValidatingPolicy{
 				{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-fine-grained-fail",
 					},
-					Spec: kyvernov2alpha1.ValidatingPolicySpec{
+					Spec: policiesv1alpha1.ValidatingPolicySpec{
-						WebhookConfiguration: &kyvernov2alpha1.WebhookConfiguration{
+						WebhookConfiguration: &policiesv1alpha1.WebhookConfiguration{
 							TimeoutSeconds: ptr.To(int32(20)),
 						},
 						ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
@@ -229,7 +229,7 @@ func TestBuildWebhookRules(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			var vpols []kyvernov2alpha1.GenericPolicy
+			var vpols []policiesv1alpha1.GenericPolicy
 			for _, vpol := range tt.vpols {
 				vpols = append(vpols, vpol)
 			}

pkg/engine/api/policy.go

@@ -2,7 +2,7 @@ package api
 
 import (
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+	policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -25,7 +25,7 @@ type GenericPolicy interface {
 	// AsValidatingAdmissionPolicy returns the validating admission policy
 	AsValidatingAdmissionPolicy() *admissionregistrationv1.ValidatingAdmissionPolicy
 	// AsValidatingPolicy returns the validating policy
-	AsValidatingPolicy() *kyvernov2alpha1.ValidatingPolicy
+	AsValidatingPolicy() *policiesv1alpha1.ValidatingPolicy
 }
 
 type genericPolicy struct {
@@ -33,7 +33,7 @@ type genericPolicy struct {
 	PolicyInterface           kyvernov1.PolicyInterface
 	ValidatingAdmissionPolicy *admissionregistrationv1.ValidatingAdmissionPolicy
 	MutatingAdmissionPolicy   *admissionregistrationv1alpha1.MutatingAdmissionPolicy
-	ValidatingPolicy          *kyvernov2alpha1.ValidatingPolicy
+	ValidatingPolicy          *policiesv1alpha1.ValidatingPolicy
 }
 
 func (p *genericPolicy) AsObject() any {
@@ -48,7 +48,7 @@ func (p *genericPolicy) AsValidatingAdmissionPolicy() *admissionregistrationv1.V
 	return p.ValidatingAdmissionPolicy
 }
 
-func (p *genericPolicy) AsValidatingPolicy() *kyvernov2alpha1.ValidatingPolicy {
+func (p *genericPolicy) AsValidatingPolicy() *policiesv1alpha1.ValidatingPolicy {
 	return p.ValidatingPolicy
 }
 
@@ -61,7 +61,7 @@ func (p *genericPolicy) GetAPIVersion() string {
 	case p.MutatingAdmissionPolicy != nil:
 		return admissionregistrationv1alpha1.SchemeGroupVersion.String()
 	case p.ValidatingPolicy != nil:
-		return kyvernov2alpha1.GroupVersion.String()
+		return policiesv1alpha1.GroupVersion.String()
 	}
 	return ""
 }
@@ -109,7 +109,7 @@ func NewMutatingAdmissionPolicy(pol *admissionregistrationv1alpha1.MutatingAdmis
 	}
 }
 
-func NewValidatingPolicy(pol *kyvernov2alpha1.ValidatingPolicy) GenericPolicy {
+func NewValidatingPolicy(pol *policiesv1alpha1.ValidatingPolicy) GenericPolicy {
 	return &genericPolicy{
 		Object:           pol,
 		ValidatingPolicy: pol,

pkg/utils/admission/celexception.go

@@ -1,21 +1,21 @@
 package admission
 
 import (
-	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+	policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
 	admissionv1 "k8s.io/api/admission/v1"
 	"k8s.io/apimachinery/pkg/util/json"
 )
 
-func UnmarshalCELPolicyException(raw []byte) (*kyvernov2alpha1.CELPolicyException, error) {
+func UnmarshalCELPolicyException(raw []byte) (*policiesv1alpha1.CELPolicyException, error) {
-	var exception *kyvernov2alpha1.CELPolicyException
+	var exception *policiesv1alpha1.CELPolicyException
 	if err := json.Unmarshal(raw, &exception); err != nil {
 		return nil, err
 	}
 	return exception, nil
 }
 
-func GetCELPolicyExceptions(request admissionv1.AdmissionRequest) (*kyvernov2alpha1.CELPolicyException, *kyvernov2alpha1.CELPolicyException, error) {
+func GetCELPolicyExceptions(request admissionv1.AdmissionRequest) (*policiesv1alpha1.CELPolicyException, *policiesv1alpha1.CELPolicyException, error) {
-	var empty *kyvernov2alpha1.CELPolicyException
+	var empty *policiesv1alpha1.CELPolicyException
 	exception, err := UnmarshalCELPolicyException(request.Object.Raw)
 	if err != nil {
 		return exception, empty, err

pkg/utils/admission/celexception_test.go

@@ -6,7 +6,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/util/json"
 
-	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+	policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
 	admissionv1 "k8s.io/api/admission/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
@@ -56,7 +56,7 @@ func Test_UnmarshalCELPolicyException(t *testing.T) {
 				if err != nil {
 					t.Errorf("Unexpected error: %v", err)
 				}
-				var exception *kyvernov2alpha1.CELPolicyException
+				var exception *policiesv1alpha1.CELPolicyException
 				json.Unmarshal(test.raw, &exception)
 				if !reflect.DeepEqual(result, exception) {
 					t.Errorf("Expected %+v, got %+v", exception, result)
@@ -155,7 +155,7 @@ func TestGetCELPolicyExceptions(t *testing.T) {
 	for _, test := range testCases {
 		t.Run(test.name, func(t *testing.T) {
 			p1, p2, _ := GetCELPolicyExceptions(test.args.request)
-			var empty *kyvernov2alpha1.CELPolicyException
+			var empty *policiesv1alpha1.CELPolicyException
 			expectedP1, err := UnmarshalCELPolicyException(test.args.request.Object.Raw)
 			if err != nil {
 				expectedP2 := empty

pkg/utils/yaml/loadpolicy.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+	policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
 	extyaml "github.com/kyverno/kyverno/ext/yaml"
 	log "github.com/kyverno/kyverno/pkg/logging"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
@@ -18,7 +18,7 @@ func GetPolicy(bytes []byte) (
 	policies []kyvernov1.PolicyInterface,
 	validatingAdmissionPolicies []admissionregistrationv1.ValidatingAdmissionPolicy,
 	validatingAdmissionPolicyBindings []admissionregistrationv1.ValidatingAdmissionPolicyBinding,
-	validatingPolicies []kyvernov2alpha1.ValidatingPolicy,
+	validatingPolicies []policiesv1alpha1.ValidatingPolicy,
 	err error,
 ) {
 	documents, err := extyaml.SplitDocuments(bytes)
@@ -84,7 +84,7 @@ func parse(obj unstructured.Unstructured) (
 	*admissionregistrationv1.ValidatingAdmissionPolicy,
 	*admissionregistrationv1.ValidatingAdmissionPolicyBinding,
 	kyvernov1.PolicyInterface,
-	*kyvernov2alpha1.ValidatingPolicy,
+	*policiesv1alpha1.ValidatingPolicy,
 	error,
 ) {
 	switch obj.GetKind() {
@@ -159,8 +159,8 @@ func parseClusterPolicy(obj unstructured.Unstructured) (*kyvernov1.ClusterPolicy
 	return &out, nil
 }
 
-func parseValidatingPolicy(obj unstructured.Unstructured) (*kyvernov2alpha1.ValidatingPolicy, error) {
+func parseValidatingPolicy(obj unstructured.Unstructured) (*policiesv1alpha1.ValidatingPolicy, error) {
-	var out kyvernov2alpha1.ValidatingPolicy
+	var out policiesv1alpha1.ValidatingPolicy
 	if err := runtime.DefaultUnstructuredConverter.FromUnstructuredWithValidation(obj.Object, &out, true); err != nil {
 		return nil, fmt.Errorf("failed to decode policy: %v", err)
 	}

pkg/validation/exception/validate_test.go

@@ -71,7 +71,7 @@ func Test_Validate(t *testing.T) {
 					Namespace: "kyverno",
 				},
 				resource: []byte(`{
-    "apiVersion": "kyverno.io/v2alpha1",
+    "apiVersion": "policies.kyverno.io/v1alpha1",
     "kind": "CELPolicyException",
     "metadata": {
         "name": "pod-security-exception",
@@ -102,7 +102,7 @@ func Test_Validate(t *testing.T) {
 					Namespace: "kyverno",
 				},
 				resource: []byte(`{
-    "apiVersion": "kyverno.io/v2alpha1",
+    "apiVersion": "policies.kyverno.io/v1alpha1",
     "kind": "CELPolicyException",
     "metadata": {
         "name": "pod-security-exception",
@@ -133,7 +133,7 @@ func Test_Validate(t *testing.T) {
 					Namespace: "delta",
 				},
 				resource: []byte(`{
-    "apiVersion": "kyverno.io/v2alpha1",
+    "apiVersion": "policies.kyverno.io/v1alpha1",
     "kind": "CELPolicyException",
     "metadata": {
         "name": "pod-security-exception",
@@ -164,7 +164,7 @@ func Test_Validate(t *testing.T) {
 					Namespace: "*",
 				},
 				resource: []byte(`{
-    "apiVersion": "kyverno.io/v2alpha1",
+    "apiVersion": "policies.kyverno.io/v1alpha1",
     "kind": "CELPolicyException",
     "metadata": {
         "name": "pod-security-exception",

test/cli/test-validating-policy/check-deployment-labels/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: check-deployment-labels

test/cli/test-validating-policy/check-deployments-replica/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: check-deployment-replicas

test/cli/test-validating-policy/disallow-host-path/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: disallow-host-path

test/conformance/chainsaw/cel-policy-exceptions/empty-policy-ref/exception.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: CELPolicyException
 metadata:
   name: pod-security-exception

test/conformance/chainsaw/cel-policy-exceptions/exclude-deployments/exception.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: CELPolicyException
 metadata:
   name: pod-security-exception

test/conformance/chainsaw/cel-policy-exceptions/exclude-deployments/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: check-deployment-labels

test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/check-autogen.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: disallow-privilege-escalation

test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: disallow-privilege-escalation

test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/check-autogen.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: disallow-privilege-escalation

test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: disallow-privilege-escalation

test/conformance/chainsaw/validating-policies/autogen/none/check-autogen.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: disallow-privilege-escalation

test/conformance/chainsaw/validating-policies/autogen/none/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: disallow-privilege-escalation

test/conformance/chainsaw/validating-policies/autogen/should-autogen/check-autogen.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: disallow-privilege-escalation

test/conformance/chainsaw/validating-policies/autogen/should-autogen/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: disallow-privilege-escalation

test/conformance/chainsaw/validating-policies/autogen/should-not-autogen/check-autogen.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: disallow-privilege-escalation

test/conformance/chainsaw/validating-policies/autogen/should-not-autogen/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: disallow-privilege-escalation

test/conformance/chainsaw/validating-policies/context/configmap/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: check-deployment-labels

test/conformance/chainsaw/validating-policies/context/image-data/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: check-deployment-labels

test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/default/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: check-deployment-labels

test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/fail/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: check-deployment-labels

test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/ignore/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: check-deployment-labels

test/conformance/chainsaw/validating-policies/report/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: check-deployment-labels

test/conformance/chainsaw/validating-policies/validation-actions/audit/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: check-deployment-labels

test/conformance/chainsaw/validating-policies/validation-actions/deny/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: check-deployment-labels

test/conformance/chainsaw/validating-policies/validation-actions/none/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: check-deployment-labels

test/conformance/chainsaw/validating-policies/validation-actions/warn/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: check-deployment-labels

test/conformance/chainsaw/validating-policies/validation-rules/accept/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: check-deployment-labels

test/conformance/chainsaw/validating-policies/validation-rules/reject/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: check-deployment-labels

test/conformance/chainsaw/validating-policies/webhook-configuration/match-conditions/multiple/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: check-deployment-labels

test/conformance/chainsaw/validating-policies/webhook-configuration/match-conditions/single/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
   name: check-deployment-labels