diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml
index 3f5631534a..b86b8b6739 100644
--- a/.github/workflows/conformance.yaml
+++ b/.github/workflows/conformance.yaml
@@ -6,16 +6,24 @@ on:
       - 'release*'
 
 jobs:
-  run-conformace:
+  run-conformance:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # pin@v3
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # pin@v3.1.0
       - name: Unshallow
         run: git fetch --prune --unshallow
       - name: Setup go
-        uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f # pin@v3
+        uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # pin@v3.3.1
         with:
           go-version: ~1.18.6
-      - name: Kyverno conformance tests
-        run: go run ./test/conformance/main.go
+      - name: Prep environment
+        run: make kind-create-cluster kind-deploy-kyverno
+      - name: Wait for Kyverno to start
+        run: sleep 60
+      - name: Install kuttl
+        run: curl -sL https://github.com/kudobuilder/kuttl/releases/download/v0.13.0/kubectl-kuttl_0.13.0_linux_x86_64 -o kuttl && chmod +x kuttl
+      - name: Test with kuttl
+        run: ./kuttl test --config ./test/conformance/kuttl/kuttl-test.yaml
+      # - name: Kyverno conformance tests
+      #   run: go run ./test/conformance/main.go
diff --git a/test/conformance/kuttl/aaa_template_resources/01-assert.yaml b/test/conformance/kuttl/aaa_template_resources/01-assert.yaml
new file mode 100644
index 0000000000..304a5e80c4
--- /dev/null
+++ b/test/conformance/kuttl/aaa_template_resources/01-assert.yaml
@@ -0,0 +1,8 @@
+# An assert file can be a partial representation of an object. What is specified MUST be present for the check to pass and the test to proceed.
+# If the specified timeout is reached and the assert does not evaluate to true, the test fails and halts.
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-labels
+status:
+  ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/aaa_template_resources/01-manifests.yaml b/test/conformance/kuttl/aaa_template_resources/01-manifests.yaml
new file mode 100644
index 0000000000..f577d14177
--- /dev/null
+++ b/test/conformance/kuttl/aaa_template_resources/01-manifests.yaml
@@ -0,0 +1,20 @@
+# A file with no reserved name "assert" or "errors" will be created with the below contents. Can be multiple YAML docs in the same file.
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-labels
+spec:
+  rules:
+  - name: add-labels
+    match:
+      resources:
+        kinds:
+        - Pod
+        - Service
+        - ConfigMap
+        - Secret
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          labels:
+            foo: bar
diff --git a/test/conformance/kuttl/aaa_template_resources/02-assert.yaml b/test/conformance/kuttl/aaa_template_resources/02-assert.yaml
new file mode 100644
index 0000000000..dcb47a5770
--- /dev/null
+++ b/test/conformance/kuttl/aaa_template_resources/02-assert.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: testingsecret
+  namespace: default
+  labels:
+    foo: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/aaa_template_resources/02-secret.yaml b/test/conformance/kuttl/aaa_template_resources/02-secret.yaml
new file mode 100644
index 0000000000..cfafb7c22b
--- /dev/null
+++ b/test/conformance/kuttl/aaa_template_resources/02-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: testingsecret
+  namespace: default
+type: Opaque
\ No newline at end of file
diff --git a/test/conformance/kuttl/aaa_template_resources/03-delete.yaml b/test/conformance/kuttl/aaa_template_resources/03-delete.yaml
new file mode 100644
index 0000000000..8c0ce38c1c
--- /dev/null
+++ b/test/conformance/kuttl/aaa_template_resources/03-delete.yaml
@@ -0,0 +1,8 @@
+# Specifying the kind as `TestStep` performs certain behaviors like this delete operation.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: v1
+  kind: Secret
+  name: regcred
+  namespace: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/aaa_template_resources/05-errors.yaml b/test/conformance/kuttl/aaa_template_resources/05-errors.yaml
new file mode 100644
index 0000000000..12452a8cbf
--- /dev/null
+++ b/test/conformance/kuttl/aaa_template_resources/05-errors.yaml
@@ -0,0 +1,6 @@
+### If this resource is found, create an error which fails the test. Since there is no timeout for this step, it will adopt the global defined in the TestSuite.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: regcred
+  namespace: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/aaa_template_resources/99-cleanup.yaml b/test/conformance/kuttl/aaa_template_resources/99-cleanup.yaml
new file mode 100644
index 0000000000..6ed1836e07
--- /dev/null
+++ b/test/conformance/kuttl/aaa_template_resources/99-cleanup.yaml
@@ -0,0 +1,5 @@
+# A clean-up is presently required because kuttl does not do a reliable job of cleaning up both cluster-scoped objects.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml,02-secret.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/aaa_template_resources/BEST_PRACTICES.md b/test/conformance/kuttl/aaa_template_resources/BEST_PRACTICES.md
new file mode 100644
index 0000000000..c245e1ada6
--- /dev/null
+++ b/test/conformance/kuttl/aaa_template_resources/BEST_PRACTICES.md
@@ -0,0 +1,6 @@
+# Some Best Practices
+
+* Don't put anything in index `00` so it can be used in the future.
+* Put clean-up as index `99` so it's always last no matter how many steps.
+* The `*-errors.yaml` file, like an `*-assert.yaml` file only performs an existence check, not a creation check.
+* One test can contain both positive and negative tests by extending the test case. No need to write separate.
\ No newline at end of file
diff --git a/test/conformance/kuttl/aaa_template_resources/README.md b/test/conformance/kuttl/aaa_template_resources/README.md
new file mode 100644
index 0000000000..22091f0fe0
--- /dev/null
+++ b/test/conformance/kuttl/aaa_template_resources/README.md
@@ -0,0 +1,5 @@
+# Title
+
+Issue: 1234
+
+This is a description of your test.
diff --git a/test/conformance/kuttl/aaa_template_resources/commands/04-sleep.yaml b/test/conformance/kuttl/aaa_template_resources/commands/04-sleep.yaml
new file mode 100644
index 0000000000..fe3b8abbcb
--- /dev/null
+++ b/test/conformance/kuttl/aaa_template_resources/commands/04-sleep.yaml
@@ -0,0 +1,5 @@
+# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 3
\ No newline at end of file
diff --git a/test/conformance/kuttl/aaa_template_resources/commands/99-cleanup.yaml b/test/conformance/kuttl/aaa_template_resources/commands/99-cleanup.yaml
new file mode 100644
index 0000000000..b7de47a47c
--- /dev/null
+++ b/test/conformance/kuttl/aaa_template_resources/commands/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml,02-secret.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/aaa_template_resources/scripts/01-script-check-for-error.yaml b/test/conformance/kuttl/aaa_template_resources/scripts/01-script-check-for-error.yaml
new file mode 100644
index 0000000000..fc29fa83d3
--- /dev/null
+++ b/test/conformance/kuttl/aaa_template_resources/scripts/01-script-check-for-error.yaml
@@ -0,0 +1,13 @@
+## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+    if kubectl apply -f manifests.yaml
+    then 
+      echo "Tested failed. Policy was created when it shouldn't have been."
+      exit 1 
+    else 
+      echo "Test succeeded. Policy was not created as intended."
+      exit 0
+    fi
\ No newline at end of file
diff --git a/test/conformance/kuttl/aaa_template_resources/scripts/02-script-check-for-output.yaml b/test/conformance/kuttl/aaa_template_resources/scripts/02-script-check-for-output.yaml
new file mode 100644
index 0000000000..a7ddaea4c4
--- /dev/null
+++ b/test/conformance/kuttl/aaa_template_resources/scripts/02-script-check-for-output.yaml
@@ -0,0 +1,13 @@
+## Checks that there is specific output when creating a manifest
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+    if kubectl apply -f manifests.yaml 2>&1 | grep -q 'clusterRoles' 
+    then 
+        echo "Has clusterRoles."
+        exit 0
+    else 
+        echo "Does not have clusterRoles."
+        exit 1
+    fi
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/README.md b/test/conformance/kuttl/generate/clusterpolicy/cornercases/README.md
new file mode 100644
index 0000000000..99979ca070
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/README.md
@@ -0,0 +1,3 @@
+# Title
+
+Tests in the `cornercases` directory should typically correspond either to a specific Kyverno issue (please provide issue number or link) or a Slack conversation if no issue is logged. These are NOT standard tests for basic functionality but outliers or highly specific/esoteric combinations that have exposed a bug in the past.
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/README.md b/test/conformance/kuttl/generate/clusterpolicy/standard/README.md
new file mode 100644
index 0000000000..a822f444f4
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/README.md
@@ -0,0 +1,3 @@
+# Title
+
+Tests in the `standard` directory should only cover basic functionality of a feature. For testing of specific corner cases addressed as acknowledged bugs, please use the `cornercases` directory.
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/01-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/01-assert.yaml
new file mode 100644
index 0000000000..aa86792b0a
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/01-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: cpol-nosync-clone
+status:
+  ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/01-manifests.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/01-manifests.yaml
new file mode 100644
index 0000000000..f3713bb3bb
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/01-manifests.yaml
@@ -0,0 +1,30 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: cpol-nosync-clone
+spec:
+  rules:
+  - name: clone-secret
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: regcred
+      namespace: "{{request.object.metadata.name}}"
+      synchronize: false
+      clone:
+        namespace: default
+        name: regcred
+---
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: default
+type: Opaque
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/02-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/02-assert.yaml
new file mode 100644
index 0000000000..54cede2c50
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/02-assert.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: regcred
+  namespace: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/02-ns.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/02-ns.yaml
new file mode 100644
index 0000000000..26f9d8ac2e
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/02-ns.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/99-cleanup.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/99-cleanup.yaml
new file mode 100644
index 0000000000..1c6b4578bc
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml,02-ns.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/README.md b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/README.md
new file mode 100644
index 0000000000..ff3a2de1a2
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/README.md
@@ -0,0 +1,3 @@
+# Title
+
+This is a generate test to ensure a cloned secret shows properly in the new Namespace.
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/01-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/01-assert.yaml
new file mode 100644
index 0000000000..aa86792b0a
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/01-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: cpol-nosync-clone
+status:
+  ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/01-manifests.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/01-manifests.yaml
new file mode 100644
index 0000000000..f3713bb3bb
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/01-manifests.yaml
@@ -0,0 +1,30 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: cpol-nosync-clone
+spec:
+  rules:
+  - name: clone-secret
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: regcred
+      namespace: "{{request.object.metadata.name}}"
+      synchronize: false
+      clone:
+        namespace: default
+        name: regcred
+---
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: default
+type: Opaque
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/02-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/02-assert.yaml
new file mode 100644
index 0000000000..54cede2c50
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/02-assert.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: regcred
+  namespace: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/02-ns.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/02-ns.yaml
new file mode 100644
index 0000000000..26f9d8ac2e
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/02-ns.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/03-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/03-assert.yaml
new file mode 100644
index 0000000000..26f9d8ac2e
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/03-assert.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/03-delete-secret.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/03-delete-secret.yaml
new file mode 100644
index 0000000000..9040065230
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/03-delete-secret.yaml
@@ -0,0 +1,7 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: v1
+  kind: Secret
+  name: regcred
+  namespace: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/04-sleep.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/04-sleep.yaml
new file mode 100644
index 0000000000..e0f2098e5d
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/04-sleep.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 3
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/05-errors.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/05-errors.yaml
new file mode 100644
index 0000000000..12452a8cbf
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/05-errors.yaml
@@ -0,0 +1,6 @@
+### If this resource is found, create an error which fails the test. Since there is no timeout for this step, it will adopt the global defined in the TestSuite.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: regcred
+  namespace: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/99-cleanup.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/99-cleanup.yaml
new file mode 100644
index 0000000000..1c6b4578bc
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml,02-ns.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/README.md b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/README.md
new file mode 100644
index 0000000000..ff89967525
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/README.md
@@ -0,0 +1,7 @@
+# Title
+
+This test ensures that deletion of a downstream resource created by a ClusterPolicy `generate` rule with sync disabled using a clone declaration does NOT cause it to be regenerated. If the downstream resource is regenerated, the test fails. If it is not regenerated, the test succeeds.
+
+### Tests a clone rule with sync not enabled that deleting a downstream resource shows it is not recreated.
+### Because https://github.com/kyverno/kyverno/issues/4457 is not yet fixed for this type, the test will fail.
+### Expected result: fail
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/01-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/01-assert.yaml
new file mode 100644
index 0000000000..370f29765b
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/01-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: cpol-sync-clone
+status:
+  ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/01-manifests.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/01-manifests.yaml
new file mode 100644
index 0000000000..005f75e40b
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/01-manifests.yaml
@@ -0,0 +1,30 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: cpol-sync-clone
+spec:
+  rules:
+  - name: clone-secret
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: regcred
+      namespace: "{{request.object.metadata.name}}"
+      synchronize: true
+      clone:
+        namespace: default
+        name: regcred
+---
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: default
+type: Opaque
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/02-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/02-assert.yaml
new file mode 100644
index 0000000000..54cede2c50
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/02-assert.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: regcred
+  namespace: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/02-ns.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/02-ns.yaml
new file mode 100644
index 0000000000..26f9d8ac2e
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/02-ns.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/99-cleanup.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/99-cleanup.yaml
new file mode 100644
index 0000000000..1c6b4578bc
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml,02-ns.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/README.md b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/README.md
new file mode 100644
index 0000000000..ff3a2de1a2
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/README.md
@@ -0,0 +1,3 @@
+# Title
+
+This is a generate test to ensure a cloned secret shows properly in the new Namespace.
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/01-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/01-assert.yaml
new file mode 100644
index 0000000000..370f29765b
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/01-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: cpol-sync-clone
+status:
+  ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/01-manifests.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/01-manifests.yaml
new file mode 100644
index 0000000000..005f75e40b
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/01-manifests.yaml
@@ -0,0 +1,30 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: cpol-sync-clone
+spec:
+  rules:
+  - name: clone-secret
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: regcred
+      namespace: "{{request.object.metadata.name}}"
+      synchronize: true
+      clone:
+        namespace: default
+        name: regcred
+---
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: default
+type: Opaque
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/02-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/02-assert.yaml
new file mode 100644
index 0000000000..54cede2c50
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/02-assert.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: regcred
+  namespace: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/02-ns.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/02-ns.yaml
new file mode 100644
index 0000000000..26f9d8ac2e
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/02-ns.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/03-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/03-assert.yaml
new file mode 100644
index 0000000000..26f9d8ac2e
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/03-assert.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/03-delete-secret.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/03-delete-secret.yaml
new file mode 100644
index 0000000000..9040065230
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/03-delete-secret.yaml
@@ -0,0 +1,7 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: v1
+  kind: Secret
+  name: regcred
+  namespace: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/04-sleep.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/04-sleep.yaml
new file mode 100644
index 0000000000..e0f2098e5d
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/04-sleep.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 3
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/05-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/05-assert.yaml
new file mode 100644
index 0000000000..c1a3970413
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/05-assert.yaml
@@ -0,0 +1,6 @@
+### If this resource is found, the step should pass. We expect the downstream resource to be recreated.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: regcred
+  namespace: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/99-cleanup.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/99-cleanup.yaml
new file mode 100644
index 0000000000..1c6b4578bc
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml,02-ns.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/README.md b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/README.md
new file mode 100644
index 0000000000..ff89967525
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/README.md
@@ -0,0 +1,7 @@
+# Title
+
+This test ensures that deletion of a downstream resource created by a ClusterPolicy `generate` rule with sync disabled using a clone declaration does NOT cause it to be regenerated. If the downstream resource is regenerated, the test fails. If it is not regenerated, the test succeeds.
+
+### Tests a clone rule with sync not enabled that deleting a downstream resource shows it is not recreated.
+### Because https://github.com/kyverno/kyverno/issues/4457 is not yet fixed for this type, the test will fail.
+### Expected result: fail
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/01-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/01-assert.yaml
new file mode 100644
index 0000000000..952a960e50
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/01-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: zk-kafka-address
+status:
+  ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/01-manifests.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/01-manifests.yaml
new file mode 100644
index 0000000000..3677a6290d
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/01-manifests.yaml
@@ -0,0 +1,35 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: zk-kafka-address
+spec:
+  generateExistingOnPolicyUpdate: true
+  rules:
+  - name: k-kafka-address
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+          - default
+          - kube-public
+          - kyverno
+    generate:
+      synchronize: false
+      apiVersion: v1
+      kind: ConfigMap
+      name: zk-kafka-address
+      namespace: "{{request.object.metadata.name}}"
+      data:
+        kind: ConfigMap
+        metadata:
+          labels:
+            somekey: somevalue
+        data:
+          ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
+          KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/02-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/02-assert.yaml
new file mode 100644
index 0000000000..e20de3d1bb
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/02-assert.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+data:
+  KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
+  ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
+kind: ConfigMap
+metadata:
+  labels:
+    somekey: somevalue
+  name: zk-kafka-address
+  namespace: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/02-ns.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/02-ns.yaml
new file mode 100644
index 0000000000..26f9d8ac2e
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/02-ns.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/03-downstream-delete.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/03-downstream-delete.yaml
new file mode 100644
index 0000000000..c0b69b5c96
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/03-downstream-delete.yaml
@@ -0,0 +1,7 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: v1
+  kind: ConfigMap
+  name: zk-kafka-address
+  namespace: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/04-errors.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/04-errors.yaml
new file mode 100644
index 0000000000..322ded2e15
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/04-errors.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: zk-kafka-address
+  namespace: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/99-cleanup.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/99-cleanup.yaml
new file mode 100644
index 0000000000..1c6b4578bc
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml,02-ns.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/README.md b/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/README.md
new file mode 100644
index 0000000000..e4636d9dc5
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/README.md
@@ -0,0 +1,3 @@
+# Title
+
+This is a generate test to ensure deleting a generate policy using a data declaration with sync enabled deletes the downstream ConfigMap when matching a new Namespace.
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/01-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/01-assert.yaml
new file mode 100644
index 0000000000..952a960e50
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/01-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: zk-kafka-address
+status:
+  ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/01-manifests.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/01-manifests.yaml
new file mode 100644
index 0000000000..f029bc421a
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/01-manifests.yaml
@@ -0,0 +1,35 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: zk-kafka-address
+spec:
+  generateExistingOnPolicyUpdate: true
+  rules:
+  - name: k-kafka-address
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+          - default
+          - kube-public
+          - kyverno
+    generate:
+      synchronize: true
+      apiVersion: v1
+      kind: ConfigMap
+      name: zk-kafka-address
+      namespace: "{{request.object.metadata.name}}"
+      data:
+        kind: ConfigMap
+        metadata:
+          labels:
+            somekey: somevalue
+        data:
+          ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
+          KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/02-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/02-assert.yaml
new file mode 100644
index 0000000000..e20de3d1bb
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/02-assert.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+data:
+  KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
+  ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
+kind: ConfigMap
+metadata:
+  labels:
+    somekey: somevalue
+  name: zk-kafka-address
+  namespace: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/02-ns.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/02-ns.yaml
new file mode 100644
index 0000000000..26f9d8ac2e
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/02-ns.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/99-cleanup.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/99-cleanup.yaml
new file mode 100644
index 0000000000..1c6b4578bc
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml,02-ns.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/README.md b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/README.md
new file mode 100644
index 0000000000..1a6d9f9309
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/README.md
@@ -0,0 +1,3 @@
+# Title
+
+This is a generate test to ensure a generate policy using a data declaration with sync enabled creates a downstream ConfigMap when matching a new Namespace.
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/01-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/01-assert.yaml
new file mode 100644
index 0000000000..952a960e50
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/01-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: zk-kafka-address
+status:
+  ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/01-manifests.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/01-manifests.yaml
new file mode 100644
index 0000000000..f029bc421a
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/01-manifests.yaml
@@ -0,0 +1,35 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: zk-kafka-address
+spec:
+  generateExistingOnPolicyUpdate: true
+  rules:
+  - name: k-kafka-address
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+          - default
+          - kube-public
+          - kyverno
+    generate:
+      synchronize: true
+      apiVersion: v1
+      kind: ConfigMap
+      name: zk-kafka-address
+      namespace: "{{request.object.metadata.name}}"
+      data:
+        kind: ConfigMap
+        metadata:
+          labels:
+            somekey: somevalue
+        data:
+          ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
+          KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/02-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/02-assert.yaml
new file mode 100644
index 0000000000..e20de3d1bb
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/02-assert.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+data:
+  KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
+  ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
+kind: ConfigMap
+metadata:
+  labels:
+    somekey: somevalue
+  name: zk-kafka-address
+  namespace: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/02-ns.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/02-ns.yaml
new file mode 100644
index 0000000000..26f9d8ac2e
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/02-ns.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/03-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/03-assert.yaml
new file mode 100644
index 0000000000..e20de3d1bb
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/03-assert.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+data:
+  KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
+  ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
+kind: ConfigMap
+metadata:
+  labels:
+    somekey: somevalue
+  name: zk-kafka-address
+  namespace: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/04-errors.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/04-errors.yaml
new file mode 100644
index 0000000000..322ded2e15
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/04-errors.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: zk-kafka-address
+  namespace: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/04-policy-delete.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/04-policy-delete.yaml
new file mode 100644
index 0000000000..e8dff700b2
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/04-policy-delete.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: kyverno.io/v1
+  kind: ClusterPolicy
+  name: zk-kafka-address
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/99-cleanup.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/99-cleanup.yaml
new file mode 100644
index 0000000000..1c6b4578bc
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml,02-ns.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/README.md b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/README.md
new file mode 100644
index 0000000000..e4636d9dc5
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/README.md
@@ -0,0 +1,3 @@
+# Title
+
+This is a generate test to ensure deleting a generate policy using a data declaration with sync enabled deletes the downstream ConfigMap when matching a new Namespace.
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/01-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/01-assert.yaml
new file mode 100644
index 0000000000..952a960e50
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/01-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: zk-kafka-address
+status:
+  ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/01-manifests.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/01-manifests.yaml
new file mode 100644
index 0000000000..f029bc421a
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/01-manifests.yaml
@@ -0,0 +1,35 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: zk-kafka-address
+spec:
+  generateExistingOnPolicyUpdate: true
+  rules:
+  - name: k-kafka-address
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+          - default
+          - kube-public
+          - kyverno
+    generate:
+      synchronize: true
+      apiVersion: v1
+      kind: ConfigMap
+      name: zk-kafka-address
+      namespace: "{{request.object.metadata.name}}"
+      data:
+        kind: ConfigMap
+        metadata:
+          labels:
+            somekey: somevalue
+        data:
+          ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
+          KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/02-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/02-assert.yaml
new file mode 100644
index 0000000000..e20de3d1bb
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/02-assert.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+data:
+  KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
+  ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
+kind: ConfigMap
+metadata:
+  labels:
+    somekey: somevalue
+  name: zk-kafka-address
+  namespace: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/02-ns.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/02-ns.yaml
new file mode 100644
index 0000000000..26f9d8ac2e
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/02-ns.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/03-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/03-assert.yaml
new file mode 100644
index 0000000000..55cba48ae1
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/03-assert.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+data:
+  KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9999
+  ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
+kind: ConfigMap
+metadata:
+  labels:
+    somekey: somevalue
+  name: zk-kafka-address
+  namespace: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/03-policy-update.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/03-policy-update.yaml
new file mode 100644
index 0000000000..9cada13ab3
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/03-policy-update.yaml
@@ -0,0 +1,35 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: zk-kafka-address
+spec:
+  generateExistingOnPolicyUpdate: true
+  rules:
+  - name: k-kafka-address
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+          - default
+          - kube-public
+          - kyverno
+    generate:
+      synchronize: true
+      apiVersion: v1
+      kind: ConfigMap
+      name: zk-kafka-address
+      namespace: "{{request.object.metadata.name}}"
+      data:
+        kind: ConfigMap
+        metadata:
+          labels:
+            somekey: somevalue
+        data:
+          ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
+          KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9999"
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/99-cleanup.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/99-cleanup.yaml
new file mode 100644
index 0000000000..1c6b4578bc
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml,02-ns.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/README.md b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/README.md
new file mode 100644
index 0000000000..10c3b6432d
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/README.md
@@ -0,0 +1,3 @@
+# Title
+
+This is a generate test to ensure a generate policy using a data declaration with sync enabled and modifying the policy/rule propagates those changes to a downstream ConfigMap.
diff --git a/test/conformance/kuttl/kuttl-test.yaml b/test/conformance/kuttl/kuttl-test.yaml
new file mode 100644
index 0000000000..8f4b4b9ece
--- /dev/null
+++ b/test/conformance/kuttl/kuttl-test.yaml
@@ -0,0 +1,22 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestSuite
+testDirs:
+  # Generate tests
+# - ./generate/clusterpolicy/standard/clone/nosync
+- ./test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync
+- ./test/conformance/kuttl/generate/clusterpolicy/standard/data/sync
+- ./test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync
+  # Mutate tests
+- ./test/conformance/kuttl/mutate/clusterpolicy/standard
+- ./test/conformance/kuttl/mutate/clusterpolicy/standard/existing
+  # Validate tests
+- ./test/conformance/kuttl/validate/clusterpolicy/standard/audit
+- ./test/conformance/kuttl/validate/clusterpolicy/standard/enforce
+  # verifyImages tests
+- ./test/conformance/kuttl/verifyImages/clusterpolicy/standard
+  # Report tests
+- ./test/conformance/kuttl/reports/admission
+- ./test/conformance/kuttl/reports/background
+startKIND: false
+timeout: 15
+parallel: 1
\ No newline at end of file
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/basic-check-output/01-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/basic-check-output/01-assert.yaml
new file mode 100644
index 0000000000..7f1d7387c9
--- /dev/null
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/basic-check-output/01-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-labels
+status:
+  ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/basic-check-output/01-manifests.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/basic-check-output/01-manifests.yaml
new file mode 100644
index 0000000000..970b4aa5c4
--- /dev/null
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/basic-check-output/01-manifests.yaml
@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-labels
+spec:
+  rules:
+  - name: add-labels
+    match:
+      resources:
+        kinds:
+        - Pod
+        - Service
+        - ConfigMap
+        - Secret
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          labels:
+            foo: bar
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/basic-check-output/02-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/basic-check-output/02-assert.yaml
new file mode 100644
index 0000000000..dcb47a5770
--- /dev/null
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/basic-check-output/02-assert.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: testingsecret
+  namespace: default
+  labels:
+    foo: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/basic-check-output/02-secret.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/basic-check-output/02-secret.yaml
new file mode 100644
index 0000000000..cfafb7c22b
--- /dev/null
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/basic-check-output/02-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: testingsecret
+  namespace: default
+type: Opaque
\ No newline at end of file
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/basic-check-output/99-cleanup.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/basic-check-output/99-cleanup.yaml
new file mode 100644
index 0000000000..b7de47a47c
--- /dev/null
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/basic-check-output/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml,02-secret.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/basic-check-output/README.md b/test/conformance/kuttl/mutate/clusterpolicy/standard/basic-check-output/README.md
new file mode 100644
index 0000000000..7ca7b77a9e
--- /dev/null
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/basic-check-output/README.md
@@ -0,0 +1,3 @@
+# Title
+
+This is a basic mutation test.
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/01-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/01-assert.yaml
new file mode 100644
index 0000000000..56d8a26762
--- /dev/null
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/01-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: mutate-existing-secret
+status:
+  ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/01-manifests.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/01-manifests.yaml
new file mode 100644
index 0000000000..8400e934c9
--- /dev/null
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/01-manifests.yaml
@@ -0,0 +1,52 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: staging
+  labels:
+    app-type: corp
+  annotations:
+    cloud.platformzero.com/serviceClass: "xl2"
+---
+apiVersion: v1
+data:
+  foo: bar
+kind: ConfigMap
+metadata:
+  name: dictionary-1
+  namespace: staging
+---
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: secret-1
+  namespace: staging
+type: Opaque
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: "mutate-existing-secret"
+spec:
+  rules:
+    - name: "mutate-secret-on-configmap-event"
+      match:
+        any:
+        - resources:
+            kinds:
+            - ConfigMap
+            names:
+            - dictionary-1
+            namespaces:
+            - staging
+      mutate:
+        targets:
+        - apiVersion: v1
+          kind: Secret
+          name: secret-1
+          namespace: "{{ request.object.metadata.namespace }}"
+        patchStrategicMerge:
+          metadata:
+            labels:
+              foo: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/02-edit-cm.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/02-edit-cm.yaml
new file mode 100644
index 0000000000..ca18559545
--- /dev/null
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/02-edit-cm.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: bar
+  dog: dory
+kind: ConfigMap
+metadata:
+  name: dictionary-1
+  namespace: staging
\ No newline at end of file
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/03-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/03-assert.yaml
new file mode 100644
index 0000000000..5e7a224346
--- /dev/null
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/03-assert.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: secret-1
+  namespace: staging
+  labels:
+    foo: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/99-cleanup.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/99-cleanup.yaml
new file mode 100644
index 0000000000..15c3c49051
--- /dev/null
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/README.md b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/README.md
new file mode 100644
index 0000000000..3f13a0c273
--- /dev/null
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/README.md
@@ -0,0 +1,3 @@
+# Title
+
+This is a test for mutation of existing resources.
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/01-manifests.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/01-manifests.yaml
new file mode 100644
index 0000000000..db1e70c8b3
--- /dev/null
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/01-manifests.yaml
@@ -0,0 +1,89 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: qa
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: chip
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: chip-qa-rolebinding
+  namespace: qa
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: chip
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: chip
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: chip-special-role
+  namespace: qa
+rules:
+- apiGroups:
+  - ""
+  resources:
+    - pods
+  verbs:
+    - get
+    - create
+    - list
+    - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: chip-qa-specialrb
+  namespace: qa
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: chip-special-role
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: chip
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: record-creation-details
+spec:
+  background: false
+  rules:
+  - name: add-userinfo
+    match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    preconditions:
+      any:
+      - key: "{{request.operation || 'BACKGROUND'}}"
+        operator: Equals
+        value: CREATE
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            kyverno.io/created-by: "{{ request.userInfo | to_string(@) }}"
+            kyverno.io/roles: "{{ request.roles | sort(@) | to_string(@) }}"
+            kyverno.io/clusterroles: "{{ request.clusterRoles | sort(@) | to_string(@) }}"
\ No newline at end of file
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/02-script.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/02-script.yaml
new file mode 100644
index 0000000000..c9c2e91468
--- /dev/null
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/02-script.yaml
@@ -0,0 +1,50 @@
+## Runs the identity generation script. This assumes that there is only one entry in the kubeconfig.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+    #!/bin/bash
+    set -eu
+
+    export USERNAME=chip
+    export NAMESPACE=qa
+    export CA=ca.crt
+    ####
+    #### Get CA certificate from kubeconfig assuming it's the first in the list.
+    kubectl config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' | base64 --decode > ca.crt
+    #### Set CLUSTER_SERVER from kubeconfig assuming it's the first in the list.
+    CLUSTER_SERVER=$(kubectl config view --raw -o jsonpath='{.clusters[0].cluster.server}')
+    #### Set CLUSTER from kubeconfig assuming it's the first in the list.
+    CLUSTER=$(kubectl config view --raw -o jsonpath='{.clusters[0].name}')
+    #### Generate private key
+    openssl genrsa -out $USERNAME.key 2048
+    #### Create CSR
+    openssl req -new -key $USERNAME.key -out $USERNAME.csr -subj "/O=mygroup/CN=$USERNAME"
+    #### Send CSR to kube-apiserver for approval
+    cat <<EOF | kubectl apply -f -
+    apiVersion: certificates.k8s.io/v1
+    kind: CertificateSigningRequest
+    metadata:
+      name: $USERNAME
+    spec:
+      request: $(cat $USERNAME.csr | base64 | tr -d '\n')
+      signerName: kubernetes.io/kube-apiserver-client
+      usages:
+      - client auth
+    EOF
+    #### Approve CSR
+    kubectl certificate approve $USERNAME
+    #### Download certificate
+    kubectl get csr $USERNAME -o jsonpath='{.status.certificate}' | base64 --decode > $USERNAME.crt
+    ####
+    #### Create the credential object and output the new kubeconfig file
+    kubectl --kubeconfig=$USERNAME-kubeconfig config set-credentials $USERNAME --client-certificate=$USERNAME.crt --client-key=$USERNAME.key --embed-certs
+    #### Set the cluster info
+    kubectl --kubeconfig=$USERNAME-kubeconfig config set-cluster $CLUSTER --server=$CLUSTER_SERVER --certificate-authority=$CA --embed-certs
+    #### Set the context
+    kubectl --kubeconfig=$USERNAME-kubeconfig config set-context $USERNAME-$NAMESPACE-$CLUSTER --user=$USERNAME --cluster=$CLUSTER --namespace=$NAMESPACE
+    #### Use the context
+    kubectl --kubeconfig=$USERNAME-kubeconfig config use-context $USERNAME-$NAMESPACE-$CLUSTER
+    ### Clean up the approved CSR
+    kubectl delete certificatesigningrequest chip
\ No newline at end of file
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/03-create-as-chip.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/03-create-as-chip.yaml
new file mode 100644
index 0000000000..e106e2f13a
--- /dev/null
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/03-create-as-chip.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl -n qa create cm foo --from-literal=foo=bar --kubeconfig chip-kubeconfig
\ No newline at end of file
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/04-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/04-assert.yaml
new file mode 100644
index 0000000000..180e861149
--- /dev/null
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/04-assert.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+  foo: bar
+kind: ConfigMap
+metadata:
+  annotations:
+    kyverno.io/clusterroles: '["chip","system:basic-user","system:discovery","system:public-info-viewer"]'
+    kyverno.io/created-by: '{"groups":["mygroup","system:authenticated"],"username":"chip"}'
+    kyverno.io/roles: '["qa:chip-special-role"]'
+  name: foo
+  namespace: qa
\ No newline at end of file
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/99-cleanup.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/99-cleanup.yaml
new file mode 100644
index 0000000000..15c3c49051
--- /dev/null
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/README.md b/test/conformance/kuttl/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/README.md
new file mode 100644
index 0000000000..c14baaac90
--- /dev/null
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/README.md
@@ -0,0 +1,3 @@
+# Title
+
+This test verifies that Kyverno is able to pick up and write the `request.userInfo` information from the AdmissionReview payload correctly, as well as the pre-defined vars `request.roles` and `request.clusterRoles` by creating and then performing an action as a new user in the system. The expectation is the custom group and username are both being reflected correctly in a mutation. Similar tests exist for validation flows.
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/script.sh b/test/conformance/kuttl/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/script.sh
new file mode 100644
index 0000000000..b3c5709f93
--- /dev/null
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/script.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+set -euo pipefail
+
+export USERNAME=chip
+export NAMESPACE=qa
+export CA=ca.crt
+####
+#### Get CA certificate from kubeconfig assuming it's the first in the list.
+kubectl config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' | base64 --decode > ca.crt
+#### Set CLUSTER_SERVER from kubeconfig assuming it's the first in the list.
+CLUSTER_SERVER=$(kubectl config view --raw -o jsonpath='{.clusters[0].cluster.server}')
+#### Set CLUSTER from kubeconfig assuming it's the first in the list.
+CLUSTER=$(kubectl config view --raw -o jsonpath='{.clusters[0].name}')
+#### Generate private key
+openssl genrsa -out $USERNAME.key 2048
+#### Create CSR
+openssl req -new -key $USERNAME.key -out $USERNAME.csr -subj "/O=mygroup/CN=$USERNAME"
+#### Send CSR to kube-apiserver for approval
+cat <<EOF | kubectl apply -f -
+apiVersion: certificates.k8s.io/v1
+kind: CertificateSigningRequest
+metadata:
+  name: $USERNAME
+spec:
+  request: $(cat $USERNAME.csr | base64 | tr -d '\n')
+  signerName: kubernetes.io/kube-apiserver-client
+  usages:
+  - client auth
+EOF
+#### Approve CSR
+kubectl certificate approve $USERNAME
+#### Download certificate
+kubectl get csr $USERNAME -o jsonpath='{.status.certificate}' | base64 --decode > $USERNAME.crt
+####
+#### Create the credential object and output the new kubeconfig file
+kubectl --kubeconfig=$USERNAME-kubeconfig config set-credentials $USERNAME --client-certificate=$USERNAME.crt --client-key=$USERNAME.key --embed-certs
+#### Set the cluster info
+kubectl --kubeconfig=$USERNAME-kubeconfig config set-cluster $CLUSTER --server=$CLUSTER_SERVER --certificate-authority=$CA --embed-certs
+#### Set the context
+kubectl --kubeconfig=$USERNAME-kubeconfig config set-context $USERNAME-$NAMESPACE-$CLUSTER --user=$USERNAME --cluster=$CLUSTER --namespace=$NAMESPACE
+#### Use the context
+kubectl --kubeconfig=$USERNAME-kubeconfig config use-context $USERNAME-$NAMESPACE-$CLUSTER
+### Clean up the approved CSR
+kubectl delete certificatesigningrequest chip
\ No newline at end of file
diff --git a/test/conformance/kuttl/reports/admission/test-report-admission-mode/01-assert.yaml b/test/conformance/kuttl/reports/admission/test-report-admission-mode/01-assert.yaml
new file mode 100644
index 0000000000..8d9a20c329
--- /dev/null
+++ b/test/conformance/kuttl/reports/admission/test-report-admission-mode/01-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-owner
+status:
+  ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/reports/admission/test-report-admission-mode/01-manifests.yaml b/test/conformance/kuttl/reports/admission/test-report-admission-mode/01-manifests.yaml
new file mode 100644
index 0000000000..576fe03288
--- /dev/null
+++ b/test/conformance/kuttl/reports/admission/test-report-admission-mode/01-manifests.yaml
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-owner
+spec:
+  validationFailureAction: audit
+  background: false
+  rules:
+  - name: check-owner
+    match:
+      any:
+      - resources:
+          kinds:
+            - Namespace
+    validate:
+      message: The `owner` label is required for all Namespaces.
+      pattern:
+        metadata:
+          labels:
+            owner: "?*"
\ No newline at end of file
diff --git a/test/conformance/kuttl/reports/admission/test-report-admission-mode/02-ns.yaml b/test/conformance/kuttl/reports/admission/test-report-admission-mode/02-ns.yaml
new file mode 100644
index 0000000000..4f230d84eb
--- /dev/null
+++ b/test/conformance/kuttl/reports/admission/test-report-admission-mode/02-ns.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bar
+  labels:
+    owner: david
\ No newline at end of file
diff --git a/test/conformance/kuttl/reports/admission/test-report-admission-mode/03-assert.yaml b/test/conformance/kuttl/reports/admission/test-report-admission-mode/03-assert.yaml
new file mode 100644
index 0000000000..efaaf4c2a1
--- /dev/null
+++ b/test/conformance/kuttl/reports/admission/test-report-admission-mode/03-assert.yaml
@@ -0,0 +1,15 @@
+apiVersion: wgpolicyk8s.io/v1alpha2
+kind: ClusterPolicyReport
+metadata:
+  name: cpol-require-owner
+results:
+- message: validation rule 'check-owner' passed.
+  policy: require-owner
+  resources:
+  - apiVersion: v1
+    kind: Namespace
+    name: bar
+  result: pass
+  rule: check-owner
+  scored: true
+  source: kyverno
\ No newline at end of file
diff --git a/test/conformance/kuttl/reports/admission/test-report-admission-mode/99-cleanup.yaml b/test/conformance/kuttl/reports/admission/test-report-admission-mode/99-cleanup.yaml
new file mode 100644
index 0000000000..1c6b4578bc
--- /dev/null
+++ b/test/conformance/kuttl/reports/admission/test-report-admission-mode/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml,02-ns.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/reports/admission/test-report-admission-mode/README.md b/test/conformance/kuttl/reports/admission/test-report-admission-mode/README.md
new file mode 100644
index 0000000000..cdc1a901a7
--- /dev/null
+++ b/test/conformance/kuttl/reports/admission/test-report-admission-mode/README.md
@@ -0,0 +1,3 @@
+# Title
+
+This test checks that a Policy Report in admission mode is created with an entry that is as expected.
\ No newline at end of file
diff --git a/test/conformance/kuttl/reports/background/test-report-background-mode/01-assert.yaml b/test/conformance/kuttl/reports/background/test-report-background-mode/01-assert.yaml
new file mode 100644
index 0000000000..6fa1f4c067
--- /dev/null
+++ b/test/conformance/kuttl/reports/background/test-report-background-mode/01-assert.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod01
+  namespace: default
\ No newline at end of file
diff --git a/test/conformance/kuttl/reports/background/test-report-background-mode/01-manifests.yaml b/test/conformance/kuttl/reports/background/test-report-background-mode/01-manifests.yaml
new file mode 100644
index 0000000000..00ac4d5575
--- /dev/null
+++ b/test/conformance/kuttl/reports/background/test-report-background-mode/01-manifests.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod01
+  namespace: default
+spec:
+  containers:
+  - name: container01
+    image: dummyimagename
+    securityContext:
+      allowPrivilegeEscalation: false
+      runAsNonRoot: true
+      seccompProfile:
+        type: RuntimeDefault
\ No newline at end of file
diff --git a/test/conformance/kuttl/reports/background/test-report-background-mode/02-assert.yaml b/test/conformance/kuttl/reports/background/test-report-background-mode/02-assert.yaml
new file mode 100644
index 0000000000..559357481d
--- /dev/null
+++ b/test/conformance/kuttl/reports/background/test-report-background-mode/02-assert.yaml
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: podsecurity-subrule-restricted
+spec:
+  background: true
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    name: restricted
+    validate:
+      podSecurity:
+        level: restricted
+        version: latest
+  validationFailureAction: audit
+status:
+  ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/reports/background/test-report-background-mode/02-cpol.yaml b/test/conformance/kuttl/reports/background/test-report-background-mode/02-cpol.yaml
new file mode 100644
index 0000000000..0bd22853c8
--- /dev/null
+++ b/test/conformance/kuttl/reports/background/test-report-background-mode/02-cpol.yaml
@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: podsecurity-subrule-restricted
+  annotations:
+    policies.kyverno.io/title: Restricted Pod Security Standards
+    policies.kyverno.io/category: Pod Security
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.8.0
+    policies.kyverno.io/minversion: 1.8.0
+    kyverno.io/kubernetes-version: "1.24"
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      The restricted profile of the Pod Security Standards, which is inclusive of
+      the baseline profile, is a collection of all the most common configurations
+      that can be taken to secure Pods. Beginning with Kyverno 1.8, an entire profile
+      may be assigned to the cluster through a single rule. This policy configures the
+      restricted profile through the latest version of the Pod Security Standards cluster wide.
+spec:
+  background: true
+  validationFailureAction: audit
+  rules:
+  - name: restricted
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      podSecurity:
+        level: restricted
+        version: latest
\ No newline at end of file
diff --git a/test/conformance/kuttl/reports/background/test-report-background-mode/03-assert.yaml b/test/conformance/kuttl/reports/background/test-report-background-mode/03-assert.yaml
new file mode 100644
index 0000000000..73981fd078
--- /dev/null
+++ b/test/conformance/kuttl/reports/background/test-report-background-mode/03-assert.yaml
@@ -0,0 +1,27 @@
+apiVersion: wgpolicyk8s.io/v1alpha2
+kind: PolicyReport
+metadata:
+  name: cpol-podsecurity-subrule-restricted
+  namespace: default
+results:
+- category: Pod Security
+  message: |
+    Validation rule 'restricted' failed. It violates PodSecurity "restricted:latest": ({Allowed:false ForbiddenReason:unrestricted capabilities ForbiddenDetail:container "container01" must set securityContext.capabilities.drop=["ALL"]})
+    ({Allowed:false ForbiddenReason:unrestricted capabilities ForbiddenDetail:container "container01" must set securityContext.capabilities.drop=["ALL"]})
+  policy: podsecurity-subrule-restricted
+  resources:
+  - apiVersion: v1
+    kind: Pod
+    name: badpod01
+    namespace: default
+  result: fail
+  rule: restricted
+  scored: true
+  severity: medium
+  source: kyverno
+summary:
+  error: 0
+  fail: 1
+  pass: 0
+  skip: 0
+  warn: 0
\ No newline at end of file
diff --git a/test/conformance/kuttl/reports/background/test-report-background-mode/99-cleanup.yaml b/test/conformance/kuttl/reports/background/test-report-background-mode/99-cleanup.yaml
new file mode 100644
index 0000000000..c5bcf59c45
--- /dev/null
+++ b/test/conformance/kuttl/reports/background/test-report-background-mode/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml,02-cpol.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/reports/background/test-report-background-mode/README.md b/test/conformance/kuttl/reports/background/test-report-background-mode/README.md
new file mode 100644
index 0000000000..98bbddf4a3
--- /dev/null
+++ b/test/conformance/kuttl/reports/background/test-report-background-mode/README.md
@@ -0,0 +1,3 @@
+# Title
+
+This test checks that a Policy Report is created with an entry that is as expected.
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-clusterRoles/01-script-check-for-output.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-clusterRoles/01-script-check-for-output.yaml
new file mode 100644
index 0000000000..0a2e7acf8a
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-clusterRoles/01-script-check-for-output.yaml
@@ -0,0 +1,14 @@
+## Checks that there is specific output when creating a manifest
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+    if kubectl apply -f manifests.yaml 2>&1 | grep -q 'invalid variable used' 
+    then 
+        echo "Test succeeded. The phrase 'invalid variable used' is found."
+        exit 0
+    else 
+        echo "Test failed. The phrase 'invalid variable used' has not been found."
+        exit 1
+    fi
\ No newline at end of file
diff --git a/test/conformance/manifests/validate/fail/background-match-clusterroles.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-clusterRoles/02-errors.yaml
similarity index 94%
rename from test/conformance/manifests/validate/fail/background-match-clusterroles.yaml
rename to test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-clusterRoles/02-errors.yaml
index 74884770cc..99b1923251 100644
--- a/test/conformance/manifests/validate/fail/background-match-clusterroles.yaml
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-clusterRoles/02-errors.yaml
@@ -19,4 +19,4 @@ spec:
       pattern:
         metadata:
           labels:
-            owner: "?*"
+            owner: "?*"
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-clusterRoles/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-clusterRoles/README.md
new file mode 100644
index 0000000000..80d57b93cf
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-clusterRoles/README.md
@@ -0,0 +1,3 @@
+# Title
+
+Ensures this policy cannot be created because clusterRoles is not valid in background mode. It checks that the return failure output contains the given string and finally checks that the policy has not been created (in case somehow it returned an error, which passed, but was still created).
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-clusterRoles/manifests.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-clusterRoles/manifests.yaml
new file mode 100644
index 0000000000..99b1923251
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-clusterRoles/manifests.yaml
@@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: background-match-clusterroles
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+  - name: ns-clusterroles
+    match:
+      any:
+      - resources:
+          kinds:
+            - Pod
+        clusterRoles:
+          - foo-admin
+    validate:
+      message: The `owner` label is required for all Namespaces.
+      pattern:
+        metadata:
+          labels:
+            owner: "?*"
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-roles/01-script-check-for-output.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-roles/01-script-check-for-output.yaml
new file mode 100644
index 0000000000..0a2e7acf8a
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-roles/01-script-check-for-output.yaml
@@ -0,0 +1,14 @@
+## Checks that there is specific output when creating a manifest
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+    if kubectl apply -f manifests.yaml 2>&1 | grep -q 'invalid variable used' 
+    then 
+        echo "Test succeeded. The phrase 'invalid variable used' is found."
+        exit 0
+    else 
+        echo "Test failed. The phrase 'invalid variable used' has not been found."
+        exit 1
+    fi
\ No newline at end of file
diff --git a/test/conformance/manifests/validate/fail/background-match-roles.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-roles/02-errors.yaml
similarity index 94%
rename from test/conformance/manifests/validate/fail/background-match-roles.yaml
rename to test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-roles/02-errors.yaml
index b247f9a215..c8980b5133 100644
--- a/test/conformance/manifests/validate/fail/background-match-roles.yaml
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-roles/02-errors.yaml
@@ -19,4 +19,4 @@ spec:
       pattern:
         metadata:
           labels:
-            owner: "?*"
+            owner: "?*"
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-roles/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-roles/README.md
new file mode 100644
index 0000000000..80d57b93cf
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-roles/README.md
@@ -0,0 +1,3 @@
+# Title
+
+Ensures this policy cannot be created because clusterRoles is not valid in background mode. It checks that the return failure output contains the given string and finally checks that the policy has not been created (in case somehow it returned an error, which passed, but was still created).
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-roles/manifests.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-roles/manifests.yaml
new file mode 100644
index 0000000000..c8980b5133
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-match-roles/manifests.yaml
@@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: background-match-roles
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+  - name: ns-roles
+    match:
+      any:
+      - resources:
+          kinds:
+            - Pod
+        roles:
+          - foo-role
+    validate:
+      message: The `owner` label is required for all Namespaces.
+      pattern:
+        metadata:
+          labels:
+            owner: "?*"
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-roles/01-script-check-for-output.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-roles/01-script-check-for-output.yaml
new file mode 100644
index 0000000000..120259ce0b
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-roles/01-script-check-for-output.yaml
@@ -0,0 +1,14 @@
+## Checks that there is specific output when creating a manifest
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+    if kubectl apply -f manifests.yaml 2>&1 | grep -q 'variable {{request.roles}} is not allowed' 
+    then 
+        echo "Test succeeded. The phrase 'variable {{request.roles}} is not allowed' is found."
+        exit 0
+    else 
+        echo "Test failed. The phrase 'variable {{request.roles}} is not allowed' has not been found."
+        exit 1
+    fi
\ No newline at end of file
diff --git a/test/conformance/manifests/validate/fail/background-vars-roles.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-roles/02-errors.yaml
similarity index 91%
rename from test/conformance/manifests/validate/fail/background-vars-roles.yaml
rename to test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-roles/02-errors.yaml
index 541569ce04..c1c3968a53 100644
--- a/test/conformance/manifests/validate/fail/background-vars-roles.yaml
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-roles/02-errors.yaml
@@ -17,4 +17,4 @@ spec:
       pattern:
         metadata:
           labels:
-            foo: "{{request.roles}}"
+            foo: "{{request.roles}}"
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-roles/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-roles/README.md
new file mode 100644
index 0000000000..80d57b93cf
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-roles/README.md
@@ -0,0 +1,3 @@
+# Title
+
+Ensures this policy cannot be created because clusterRoles is not valid in background mode. It checks that the return failure output contains the given string and finally checks that the policy has not been created (in case somehow it returned an error, which passed, but was still created).
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-roles/manifests.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-roles/manifests.yaml
new file mode 100644
index 0000000000..c1c3968a53
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-roles/manifests.yaml
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: background-vars-roles
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+  - name: ns-vars-roles
+    match:
+      any:
+      - resources:
+          kinds:
+            - Pod
+    validate:
+      message: The `owner` label is required for all Namespaces.
+      pattern:
+        metadata:
+          labels:
+            foo: "{{request.roles}}"
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/01-script-check-for-output.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/01-script-check-for-output.yaml
new file mode 100644
index 0000000000..e781794400
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/01-script-check-for-output.yaml
@@ -0,0 +1,14 @@
+## Checks that there is specific output when creating a manifest
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+    if kubectl apply -f manifests.yaml 2>&1 | grep -q 'variable {{serviceAccountName}} is not allowed' 
+    then 
+        echo "Test succeeded. The phrase 'variable {{serviceAccountName}} is not allowed' is found."
+        exit 0
+    else 
+        echo "Test failed. The phrase 'variable {{serviceAccountName}} is not allowed' has not been found."
+        exit 1
+    fi
\ No newline at end of file
diff --git a/test/conformance/manifests/validate/fail/background-vars-serviceaccountname.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/02-errors.yaml
similarity index 90%
rename from test/conformance/manifests/validate/fail/background-vars-serviceaccountname.yaml
rename to test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/02-errors.yaml
index 2efd9e3834..27144825ac 100644
--- a/test/conformance/manifests/validate/fail/background-vars-serviceaccountname.yaml
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/02-errors.yaml
@@ -17,4 +17,4 @@ spec:
       pattern:
         metadata:
           labels:
-            baz: "{{serviceAccountName}}"
+            baz: "{{serviceAccountName}}"
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/README.md
new file mode 100644
index 0000000000..80d57b93cf
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/README.md
@@ -0,0 +1,3 @@
+# Title
+
+Ensures this policy cannot be created because clusterRoles is not valid in background mode. It checks that the return failure output contains the given string and finally checks that the policy has not been created (in case somehow it returned an error, which passed, but was still created).
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/manifests.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/manifests.yaml
new file mode 100644
index 0000000000..27144825ac
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/manifests.yaml
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: background-vars-serviceaccountname
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+  - name: ns-vars-serviceaccountname
+    match:
+      any:
+      - resources:
+          kinds:
+            - Pod
+    validate:
+      message: The `owner` label is required for all Namespaces.
+      pattern:
+        metadata:
+          labels:
+            baz: "{{serviceAccountName}}"
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-userInfo/01-script-check-for-output.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-userInfo/01-script-check-for-output.yaml
new file mode 100644
index 0000000000..eecf0a850a
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-userInfo/01-script-check-for-output.yaml
@@ -0,0 +1,14 @@
+## Checks that there is specific output when creating a manifest
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+    if kubectl apply -f manifests.yaml 2>&1 | grep -q 'variable {{request.userInfo}} is not allowed' 
+    then 
+        echo "Test succeeded. The phrase 'variable {{request.userInfo}} is not allowed' is found."
+        exit 0
+    else 
+        echo "Test failed. The phrase 'variable {{request.userInfo}} is not allowed' has not been found."
+        exit 1
+    fi
\ No newline at end of file
diff --git a/test/conformance/manifests/validate/fail/background-vars-userinfo.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-userInfo/02-errors.yaml
similarity index 90%
rename from test/conformance/manifests/validate/fail/background-vars-userinfo.yaml
rename to test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-userInfo/02-errors.yaml
index 087ae2e26a..937292c584 100644
--- a/test/conformance/manifests/validate/fail/background-vars-userinfo.yaml
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-userInfo/02-errors.yaml
@@ -17,4 +17,4 @@ spec:
       pattern:
         metadata:
           labels:
-            owner: "{{request.userInfo}}"
+            owner: "{{request.userInfo}}"
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-userInfo/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-userInfo/README.md
new file mode 100644
index 0000000000..80d57b93cf
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-userInfo/README.md
@@ -0,0 +1,3 @@
+# Title
+
+Ensures this policy cannot be created because clusterRoles is not valid in background mode. It checks that the return failure output contains the given string and finally checks that the policy has not been created (in case somehow it returned an error, which passed, but was still created).
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-userInfo/manifests.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-userInfo/manifests.yaml
new file mode 100644
index 0000000000..937292c584
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/background-vars-userInfo/manifests.yaml
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: background-vars-userinfo
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+  - name: ns-vars-userinfo
+    match:
+      any:
+      - resources:
+          kinds:
+            - Pod
+    validate:
+      message: The `owner` label is required for all Namespaces.
+      pattern:
+        metadata:
+          labels:
+            owner: "{{request.userInfo}}"
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/resource-apply-block/01-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/resource-apply-block/01-assert.yaml
new file mode 100644
index 0000000000..8d9a20c329
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/resource-apply-block/01-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-owner
+status:
+  ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/resource-apply-block/01-manifests.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/resource-apply-block/01-manifests.yaml
new file mode 100644
index 0000000000..ad80531fb7
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/resource-apply-block/01-manifests.yaml
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-owner
+spec:
+  validationFailureAction: enforce
+  background: false
+  rules:
+  - name: check-owner
+    match:
+      any:
+      - resources:
+          kinds:
+            - Namespace
+    validate:
+      message: The `owner` label is required for all Namespaces.
+      pattern:
+        metadata:
+          labels:
+            owner: "?*"
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/resource-apply-block/02-script.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/resource-apply-block/02-script.yaml
new file mode 100644
index 0000000000..7580344147
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/resource-apply-block/02-script.yaml
@@ -0,0 +1,14 @@
+## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+    if kubectl apply -f resource.yaml
+    then 
+      echo "Tested failed. Resource was allowed."
+      exit 1 
+    else 
+      echo "Test succeeded. Resource was blocked."
+      exit 0
+    fi
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/resource-apply-block/03-errors.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/resource-apply-block/03-errors.yaml
new file mode 100644
index 0000000000..0950676715
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/resource-apply-block/03-errors.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mytestingns
+  labels:
+    app-type: corp
+  annotations:
+    cloud.platformzero.com/serviceClass: "xl2"
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/resource-apply-block/99-cleanup.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/resource-apply-block/99-cleanup.yaml
new file mode 100644
index 0000000000..15c3c49051
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/resource-apply-block/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/resource-apply-block/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/resource-apply-block/README.md
new file mode 100644
index 0000000000..b9ed7e236e
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/resource-apply-block/README.md
@@ -0,0 +1,3 @@
+# Title
+
+Basic validate test to check that a violating resource cannot be created when the policy is in enforce mode.
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/resource-apply-block/resource.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/resource-apply-block/resource.yaml
new file mode 100644
index 0000000000..0950676715
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/resource-apply-block/resource.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mytestingns
+  labels:
+    app-type: corp
+  annotations:
+    cloud.platformzero.com/serviceClass: "xl2"
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret/01-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret/01-assert.yaml
new file mode 100644
index 0000000000..8679bbbc1d
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret/01-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: secret-in-keys
+status:
+  ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret/01-manifests.yaml
new file mode 100644
index 0000000000..2ef0abb272
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret/01-manifests.yaml
@@ -0,0 +1,39 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-verify-images
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: secret-in-keys
+spec:
+  validationFailureAction: enforce
+  background: false
+  webhookTimeoutSeconds: 30
+  failurePolicy: Fail
+  rules:
+  - name: check-secret-in-keys
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    verifyImages:
+    - imageReferences:
+      - "ghcr.io/kyverno/test-verify-image:*"
+      attestors:
+      - entries:
+        - keys:
+            secret:
+              name: testsecret
+              namespace: test-verify-images
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: testsecret
+  namespace: test-verify-images
+data:
+  cosign.pub: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFOG5YUmg5NTBJWmJSajhSYS9OOXNicU9QWnJmTQo1L0tBUU4wL0tqSGNvcm0vSjV5Y3RWZDdpRWNuZXNzUlFqVTkxN2htS082SldWR0hwRGd1SXlha1pBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t
+type: Opaque
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret/02-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret/02-assert.yaml
new file mode 100644
index 0000000000..b736ae3d48
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret/02-assert.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-secret-pod
+  namespace: test-verify-images
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret/02-goodpod.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret/02-goodpod.yaml
new file mode 100644
index 0000000000..de7987da27
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret/02-goodpod.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-secret-pod
+  namespace: test-verify-images
+spec:
+  containers:
+  - image: ghcr.io/kyverno/test-verify-image:signed
+    name: test-secret
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret/99-cleanup.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret/99-cleanup.yaml
new file mode 100644
index 0000000000..61b7555976
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml,02-goodpod.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret/README.md
new file mode 100644
index 0000000000..3cb272bb55
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret/README.md
@@ -0,0 +1,3 @@
+# Title
+
+This test tries to verify an image from a public key stored in a Kubernetes Secret. For version 1.9+.
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/01-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/01-assert.yaml
new file mode 100644
index 0000000000..4b3e65c715
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/01-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: keyless-mutatedigest-verifydigest-required
+status:
+  ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/01-manifests.yaml
new file mode 100644
index 0000000000..fb5a00a564
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/01-manifests.yaml
@@ -0,0 +1,27 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: keyless-mutatedigest-verifydigest-required
+spec:
+  validationFailureAction: enforce
+  webhookTimeoutSeconds: 30
+  rules:
+    - name: check-builder-id-keyless
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      verifyImages:
+      - imageReferences:
+        - "ghcr.io/chipzoller/zulu:*"
+        mutateDigest: true
+        verifyDigest: true
+        required: true
+        attestors:
+        - entries:
+          - keyless:
+              subject: "https://github.com/chipzoller/zulu/.github/workflows/slsa-generic-keyless.yaml@refs/tags/v*"
+              issuer: "https://token.actions.githubusercontent.com"
+              rekor:
+                url: https://rekor.sigstore.dev
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/02-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/02-assert.yaml
new file mode 100644
index 0000000000..79cb2b586b
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/02-assert.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":true}'
+  name: zulu
+  namespace: default
+spec:
+  containers:
+  - image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db
+    name: zulu
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/02-pod.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/02-pod.yaml
new file mode 100644
index 0000000000..f5619b6873
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/02-pod.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: zulu
+  namespace: default
+spec:
+  containers:
+  - image: ghcr.io/chipzoller/zulu:v0.0.14
+    name: zulu
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/99-cleanup.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/99-cleanup.yaml
new file mode 100644
index 0000000000..1f710a50a6
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml,02-pod.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/README.md
new file mode 100644
index 0000000000..7ce10ee11d
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/README.md
@@ -0,0 +1,3 @@
+# Title
+
+This is a description of your test.
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/01-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/01-assert.yaml
new file mode 100644
index 0000000000..320fe9bd54
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/01-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: keyless-nomutatedigest-noverifydigest-norequired
+status:
+  ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/01-manifests.yaml
new file mode 100644
index 0000000000..507a11c41a
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/01-manifests.yaml
@@ -0,0 +1,27 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: keyless-nomutatedigest-noverifydigest-norequired
+spec:
+  validationFailureAction: enforce
+  webhookTimeoutSeconds: 30
+  rules:
+    - name: check-builder-id-keyless
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      verifyImages:
+      - imageReferences:
+        - "ghcr.io/chipzoller/zulu*"
+        mutateDigest: false
+        verifyDigest: false
+        required: false
+        attestors:
+        - entries:
+          - keyless:
+              subject: "https://github.com/chipzoller/zulu/.github/workflows/slsa-generic-keyless.yaml@refs/tags/v*"
+              issuer: "https://token.actions.githubusercontent.com"
+              rekor:
+                url: https://rekor.sigstore.dev
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/02-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/02-assert.yaml
new file mode 100644
index 0000000000..2d32ed3cb6
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/02-assert.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu:latest":true}'
+  name: zulu
+  namespace: default
+spec:
+  containers:
+  - image: ghcr.io/chipzoller/zulu
+    name: zulu
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/02-pod.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/02-pod.yaml
new file mode 100644
index 0000000000..5160f6f593
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/02-pod.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: zulu
+  namespace: default
+spec:
+  containers:
+  - image: ghcr.io/chipzoller/zulu
+    name: zulu
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/99-cleanup.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/99-cleanup.yaml
new file mode 100644
index 0000000000..1f710a50a6
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml,02-pod.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/README.md
new file mode 100644
index 0000000000..7ce10ee11d
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/README.md
@@ -0,0 +1,3 @@
+# Title
+
+This is a description of your test.
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/01-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/01-assert.yaml
new file mode 100644
index 0000000000..304da4359d
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/01-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: keyless-nomutatedigest-noverifydigest-required
+status:
+  ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/01-manifests.yaml
new file mode 100644
index 0000000000..4c18f321ae
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/01-manifests.yaml
@@ -0,0 +1,27 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: keyless-nomutatedigest-noverifydigest-required
+spec:
+  validationFailureAction: enforce
+  webhookTimeoutSeconds: 30
+  rules:
+    - name: check-builder-id-keyless
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      verifyImages:
+      - imageReferences:
+        - "ghcr.io/chipzoller/zulu*"
+        mutateDigest: false
+        verifyDigest: false
+        required: true
+        attestors:
+        - entries:
+          - keyless:
+              subject: "https://github.com/chipzoller/zulu/.github/workflows/slsa-generic-keyless.yaml@refs/tags/v*"
+              issuer: "https://token.actions.githubusercontent.com"
+              rekor:
+                url: https://rekor.sigstore.dev
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/02-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/02-assert.yaml
new file mode 100644
index 0000000000..2d32ed3cb6
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/02-assert.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu:latest":true}'
+  name: zulu
+  namespace: default
+spec:
+  containers:
+  - image: ghcr.io/chipzoller/zulu
+    name: zulu
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/02-pod.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/02-pod.yaml
new file mode 100644
index 0000000000..5160f6f593
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/02-pod.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: zulu
+  namespace: default
+spec:
+  containers:
+  - image: ghcr.io/chipzoller/zulu
+    name: zulu
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/99-cleanup.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/99-cleanup.yaml
new file mode 100644
index 0000000000..1f710a50a6
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml,02-pod.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/README.md
new file mode 100644
index 0000000000..7ce10ee11d
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/README.md
@@ -0,0 +1,3 @@
+# Title
+
+This is a description of your test.
diff --git a/test/conformance/manifests/generate/foo.yaml b/test/conformance/manifests/generate/foo.yaml
deleted file mode 100644
index f4572339b9..0000000000
--- a/test/conformance/manifests/generate/foo.yaml
+++ /dev/null
@@ -1 +0,0 @@
-# placeholder
\ No newline at end of file
diff --git a/test/conformance/manifests/mutate/foo.yaml b/test/conformance/manifests/mutate/foo.yaml
deleted file mode 100644
index f4572339b9..0000000000
--- a/test/conformance/manifests/mutate/foo.yaml
+++ /dev/null
@@ -1 +0,0 @@
-# placeholder
\ No newline at end of file
diff --git a/test/conformance/manifests/verifyImages/foo.yaml b/test/conformance/manifests/verifyImages/foo.yaml
deleted file mode 100644
index f4572339b9..0000000000
--- a/test/conformance/manifests/verifyImages/foo.yaml
+++ /dev/null
@@ -1 +0,0 @@
-# placeholder
\ No newline at end of file