---
apiVersion: v1
kind: Namespace
metadata:
  name: kyverno
  labels:
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kyverno-admission-controller
  namespace: kyverno
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kyverno-background-controller
  namespace: kyverno
  labels:
    app.kubernetes.io/component: background-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kyverno-cleanup-controller
  namespace: kyverno
  labels:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kyverno-cleanup-jobs
  namespace: kyverno
  labels:
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kyverno-reports-controller
  namespace: kyverno
  labels:
    app.kubernetes.io/component: reports-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: kyverno
  namespace: kyverno
  labels:
    app.kubernetes.io/component: config
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  annotations:
    helm.sh/resource-policy: "keep"
data:
  enableDefaultRegistryMutation: "true"
  defaultRegistry: "docker.io"
  generateSuccessEvents: "false"
  excludeGroups: "system:nodes"
  resourceFilters: >-
    [*/*,kyverno,*]
    [Event,*,*]
    [*/*,kube-system,*]
    [*/*,kube-public,*]
    [*/*,kube-node-lease,*]
    [Node,*,*]
    [Node/*,*,*]
    [APIService,*,*]
    [APIService/*,*,*]
    [TokenReview,*,*]
    [SubjectAccessReview,*,*]
    [SelfSubjectAccessReview,*,*]
    [Binding,*,*]
    [Pod/binding,*,*]
    [ReplicaSet,*,*]
    [ReplicaSet/*,*,*]
    [ClusterRole,*,kyverno:admission-controller]
    [ClusterRole,*,kyverno:admission-controller:core]
    [ClusterRole,*,kyverno:admission-controller:additional]
    [ClusterRole,*,kyverno:background-controller]
    [ClusterRole,*,kyverno:background-controller:core]
    [ClusterRole,*,kyverno:background-controller:additional]
    [ClusterRole,*,kyverno:cleanup-controller]
    [ClusterRole,*,kyverno:cleanup-controller:core]
    [ClusterRole,*,kyverno:cleanup-controller:additional]
    [ClusterRole,*,kyverno:reports-controller]
    [ClusterRole,*,kyverno:reports-controller:core]
    [ClusterRole,*,kyverno:reports-controller:additional]
    [ClusterRoleBinding,*,kyverno:admission-controller]
    [ClusterRoleBinding,*,kyverno:background-controller]
    [ClusterRoleBinding,*,kyverno:cleanup-controller]
    [ClusterRoleBinding,*,kyverno:reports-controller]
    [ServiceAccount,kyverno,kyverno-admission-controller]
    [ServiceAccount/*,kyverno,kyverno-admission-controller]
    [ServiceAccount,kyverno,kyverno-background-controller]
    [ServiceAccount/*,kyverno,kyverno-background-controller]
    [ServiceAccount,kyverno,kyverno-cleanup-controller]
    [ServiceAccount/*,kyverno,kyverno-cleanup-controller]
    [ServiceAccount,kyverno,kyverno-reports-controller]
    [ServiceAccount/*,kyverno,kyverno-reports-controller]
    [Role,kyverno,kyverno:admission-controller]
    [Role,kyverno,kyverno:background-controller]
    [Role,kyverno,kyverno:cleanup-controller]
    [Role,kyverno,kyverno:reports-controller]
    [RoleBinding,kyverno,kyverno:admission-controller]
    [RoleBinding,kyverno,kyverno:background-controller]
    [RoleBinding,kyverno,kyverno:cleanup-controller]
    [RoleBinding,kyverno,kyverno:reports-controller]
    [ConfigMap,kyverno,kyverno]
    [ConfigMap,kyverno,kyverno-metrics]
    [Deployment,kyverno,kyverno-admission-controller]
    [Deployment/*,kyverno,kyverno-admission-controller]
    [Deployment,kyverno,kyverno-background-controller]
    [Deployment/*,kyverno,kyverno-background-controller]
    [Deployment,kyverno,kyverno-cleanup-controller]
    [Deployment/*,kyverno,kyverno-cleanup-controller]
    [Deployment,kyverno,kyverno-reports-controller]
    [Deployment/*,kyverno,kyverno-reports-controller]
    [Pod,kyverno,kyverno-admission-controller-*]
    [Pod/*,kyverno,kyverno-admission-controller-*]
    [Pod,kyverno,kyverno-background-controller-*]
    [Pod/*,kyverno,kyverno-background-controller-*]
    [Pod,kyverno,kyverno-cleanup-controller-*]
    [Pod/*,kyverno,kyverno-cleanup-controller-*]
    [Pod,kyverno,kyverno-reports-controller-*]
    [Pod/*,kyverno,kyverno-reports-controller-*]
    [Job,kyverno,kyverno-hook-pre-delete]
    [Job/*,kyverno,kyverno-hook-pre-delete]
    [NetworkPolicy,kyverno,kyverno-admission-controller]
    [NetworkPolicy/*,kyverno,kyverno-admission-controller]
    [NetworkPolicy,kyverno,kyverno-background-controller]
    [NetworkPolicy/*,kyverno,kyverno-background-controller]
    [NetworkPolicy,kyverno,kyverno-cleanup-controller]
    [NetworkPolicy/*,kyverno,kyverno-cleanup-controller]
    [NetworkPolicy,kyverno,kyverno-reports-controller]
    [NetworkPolicy/*,kyverno,kyverno-reports-controller]
    [PodDisruptionBudget,kyverno,kyverno-admission-controller]
    [PodDisruptionBudget/*,kyverno,kyverno-admission-controller]
    [PodDisruptionBudget,kyverno,kyverno-background-controller]
    [PodDisruptionBudget/*,kyverno,kyverno-background-controller]
    [PodDisruptionBudget,kyverno,kyverno-cleanup-controller]
    [PodDisruptionBudget/*,kyverno,kyverno-cleanup-controller]
    [PodDisruptionBudget,kyverno,kyverno-reports-controller]
    [PodDisruptionBudget/*,kyverno,kyverno-reports-controller]
    [Service,kyverno,kyverno-svc]
    [Service/*,kyverno,kyverno-svc]
    [Service,kyverno,kyverno-svc-metrics]
    [Service/*,kyverno,kyverno-svc-metrics]
    [Service,kyverno,kyverno-background-controller-metrics]
    [Service/*,kyverno,kyverno-background-controller-metrics]
    [Service,kyverno,kyverno-cleanup-controller]
    [Service/*,kyverno,kyverno-cleanup-controller]
    [Service,kyverno,kyverno-cleanup-controller-metrics]
    [Service/*,kyverno,kyverno-cleanup-controller-metrics]
    [Service,kyverno,kyverno-reports-controller-metrics]
    [Service/*,kyverno,kyverno-reports-controller-metrics]
    [ServiceMonitor,kyverno,kyverno-admission-controller]
    [ServiceMonitor,kyverno,kyverno-background-controller]
    [ServiceMonitor,kyverno,kyverno-cleanup-controller]
    [ServiceMonitor,kyverno,kyverno-reports-controller]
    [Secret,kyverno,kyverno-svc.kyverno.svc.*]
    [Secret,kyverno,kyverno-cleanup-controller.kyverno.svc.*]
  webhooks: "[{\"namespaceSelector\":{\"matchExpressions\":[{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kube-system\"]},{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kyverno\"]}],\"matchLabels\":null}}]"
  webhookAnnotations: "{\"admissions.enforcer/disabled\":\"true\"}"
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: kyverno-metrics
  namespace: kyverno
  labels:
    app.kubernetes.io/component: config
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
data:
  namespaces: "{\"exclude\":[],\"include\":[]}"
  bucketBoundaries: "0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10, 15, 20, 25, 30"
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: kyverno-crds
    app.kubernetes.io/version: v0.0.0
    helm.sh/chart: crds-v0.0.0
  annotations:
    controller-gen.kubebuilder.io/version: v0.15.0
  name: cleanuppolicies.kyverno.io
spec:
  group: kyverno.io
  names:
    categories:
    - kyverno
    kind: CleanupPolicy
    listKind: CleanupPolicyList
    plural: cleanuppolicies
    shortNames:
    - cleanpol
    singular: cleanuppolicy
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - jsonPath: .spec.schedule
      name: Schedule
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v2
    schema:
      openAPIV3Schema:
        description: CleanupPolicy defines a rule for resource cleanup.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: Spec declares policy behaviors.
            properties:
              conditions:
                description: Conditions defines the conditions used to select the
                  resources which will be cleaned up.
                properties:
                  all:
                    description: |-
                      AllConditions enable variable-based conditional rule execution. This is useful for
                      finer control of when an rule is applied. A condition can reference object data
                      using JMESPath notation.
                      Here, all of the conditions need to pass.
                    items:
                      properties:
                        key:
                          description: Key is the context entry (using JMESPath) for
                            conditional rule evaluation.
                          x-kubernetes-preserve-unknown-fields: true
                        message:
                          description: Message is an optional display message
                          type: string
                        operator:
                          description: |-
                            Operator is the conditional operation to perform. Valid operators are:
                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                            DurationLessThanOrEquals, DurationLessThan
                          enum:
                          - Equals
                          - NotEquals
                          - AnyIn
                          - AllIn
                          - AnyNotIn
                          - AllNotIn
                          - GreaterThanOrEquals
                          - GreaterThan
                          - LessThanOrEquals
                          - LessThan
                          - DurationGreaterThanOrEquals
                          - DurationGreaterThan
                          - DurationLessThanOrEquals
                          - DurationLessThan
                          type: string
                        value:
                          description: |-
                            Value is the conditional value, or set of values. The values can be fixed set
                            or can be variables declared using JMESPath.
                          x-kubernetes-preserve-unknown-fields: true
                      type: object
                    type: array
                  any:
                    description: |-
                      AnyConditions enable variable-based conditional rule execution. This is useful for
                      finer control of when an rule is applied. A condition can reference object data
                      using JMESPath notation.
                      Here, at least one of the conditions need to pass.
                    items:
                      properties:
                        key:
                          description: Key is the context entry (using JMESPath) for
                            conditional rule evaluation.
                          x-kubernetes-preserve-unknown-fields: true
                        message:
                          description: Message is an optional display message
                          type: string
                        operator:
                          description: |-
                            Operator is the conditional operation to perform. Valid operators are:
                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                            DurationLessThanOrEquals, DurationLessThan
                          enum:
                          - Equals
                          - NotEquals
                          - AnyIn
                          - AllIn
                          - AnyNotIn
                          - AllNotIn
                          - GreaterThanOrEquals
                          - GreaterThan
                          - LessThanOrEquals
                          - LessThan
                          - DurationGreaterThanOrEquals
                          - DurationGreaterThan
                          - DurationLessThanOrEquals
                          - DurationLessThan
                          type: string
                        value:
                          description: |-
                            Value is the conditional value, or set of values. The values can be fixed set
                            or can be variables declared using JMESPath.
                          x-kubernetes-preserve-unknown-fields: true
                      type: object
                    type: array
                type: object
              context:
                description: Context defines variables and data sources that can be
                  used during rule execution.
                items:
                  description: |-
                    ContextEntry adds variables and data sources to a rule Context. Either a
                    ConfigMap reference or a APILookup must be provided.
                  properties:
                    apiCall:
                      description: |-
                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                        The data returned is stored in the context with the name for the context entry.
                      properties:
                        data:
                          description: |-
                            The data object specifies the POST data sent to the server.
                            Only applicable when the method field is set to POST.
                          items:
                            description: RequestData contains the HTTP POST data
                            properties:
                              key:
                                description: Key is a unique identifier for the data
                                  value
                                type: string
                              value:
                                description: Value is the data value
                                x-kubernetes-preserve-unknown-fields: true
                            required:
                            - key
                            - value
                            type: object
                          type: array
                        jmesPath:
                          description: |-
                            JMESPath is an optional JSON Match Expression that can be used to
                            transform the JSON response returned from the server. For example
                            a JMESPath of "items | length(@)" applied to the API server response
                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                            of deployments across all namespaces.
                          type: string
                        method:
                          default: GET
                          description: Method is the HTTP request type (GET or POST).
                            Defaults to GET.
                          enum:
                          - GET
                          - POST
                          type: string
                        service:
                          description: |-
                            Service is an API call to a JSON web service.
                            This is used for non-Kubernetes API server calls.
                            It's mutually exclusive with the URLPath field.
                          properties:
                            caBundle:
                              description: |-
                                CABundle is a PEM encoded CA bundle which will be used to validate
                                the server certificate.
                              type: string
                            url:
                              description: |-
                                URL is the JSON web service URL. A typical form is
                                `https://{service}.{namespace}:{port}/{path}`.
                              type: string
                          required:
                          - url
                          type: object
                        urlPath:
                          description: |-
                            URLPath is the URL path to be used in the HTTP GET or POST request to the
                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                            The format required is the same format used by the `kubectl get --raw` command.
                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                            for details.
                            It's mutually exclusive with the Service field.
                          type: string
                      type: object
                    configMap:
                      description: ConfigMap is the ConfigMap reference.
                      properties:
                        name:
                          description: Name is the ConfigMap name.
                          type: string
                        namespace:
                          description: Namespace is the ConfigMap namespace.
                          type: string
                      required:
                      - name
                      type: object
                    globalReference:
                      description: GlobalContextEntryReference is a reference to a
                        cached global context entry.
                      properties:
                        jmesPath:
                          description: |-
                            JMESPath is an optional JSON Match Expression that can be used to
                            transform the JSON response returned from the server. For example
                            a JMESPath of "items | length(@)" applied to the API server response
                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                            of deployments across all namespaces.
                          type: string
                        name:
                          description: Name of the global context entry
                          type: string
                      type: object
                    imageRegistry:
                      description: |-
                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                        details.
                      properties:
                        imageRegistryCredentials:
                          description: ImageRegistryCredentials provides credentials
                            that will be used for authentication with registry
                          properties:
                            allowInsecureRegistry:
                              description: AllowInsecureRegistry allows insecure access
                                to a registry.
                              type: boolean
                            providers:
                              description: |-
                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                It can be of one of these values: default,google,azure,amazon,github.
                              items:
                                description: ImageRegistryCredentialsProvidersType
                                  provides the list of credential providers required.
                                enum:
                                - default
                                - amazon
                                - azure
                                - google
                                - github
                                type: string
                              type: array
                            secrets:
                              description: |-
                                Secrets specifies a list of secrets that are provided for credentials.
                                Secrets must live in the Kyverno namespace.
                              items:
                                type: string
                              type: array
                          type: object
                        jmesPath:
                          description: |-
                            JMESPath is an optional JSON Match Expression that can be used to
                            transform the ImageData struct returned as a result of processing
                            the image reference.
                          type: string
                        reference:
                          description: |-
                            Reference is image reference to a container image in the registry.
                            Example: ghcr.io/kyverno/kyverno:latest
                          type: string
                      required:
                      - reference
                      type: object
                    name:
                      description: Name is the variable name.
                      type: string
                    variable:
                      description: Variable defines an arbitrary JMESPath context
                        variable that can be defined inline.
                      properties:
                        default:
                          description: |-
                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                            expression evaluates to nil
                          x-kubernetes-preserve-unknown-fields: true
                        jmesPath:
                          description: |-
                            JMESPath is an optional JMESPath Expression that can be used to
                            transform the variable.
                          type: string
                        value:
                          description: Value is any arbitrary JSON object representable
                            in YAML or JSON form.
                          x-kubernetes-preserve-unknown-fields: true
                      type: object
                  type: object
                type: array
              exclude:
                description: |-
                  ExcludeResources defines when cleanuppolicy should not be applied. The exclude
                  criteria can include resource information (e.g. kind, name, namespace, labels)
                  and admission review request information like the name or role.
                properties:
                  all:
                    description: All allows specifying resources which will be ANDed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                  any:
                    description: Any allows specifying resources which will be ORed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                type: object
              match:
                description: |-
                  MatchResources defines when cleanuppolicy should be applied. The match
                  criteria can include resource information (e.g. kind, name, namespace, labels)
                  and admission review request information like the user name or role.
                  At least one kind is required.
                properties:
                  all:
                    description: All allows specifying resources which will be ANDed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                  any:
                    description: Any allows specifying resources which will be ORed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                type: object
              schedule:
                description: The schedule in Cron format
                type: string
            required:
            - schedule
            type: object
          status:
            description: Status contains policy runtime data.
            properties:
              conditions:
                items:
                  description: "Condition contains details for one aspect of the current
                    state of this API Resource.\n---\nThis struct is intended for
                    direct use as an array at the field path .status.conditions.  For
                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
                    observations of a foo's current state.\n\t    // Known .status.conditions.type
                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
                    \   // other fields\n\t}"
                  properties:
                    lastTransitionTime:
                      description: |-
                        lastTransitionTime is the last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
                        message is a human readable message indicating details about the transition.
                        This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
                      description: |-
                        observedGeneration represents the .metadata.generation that the condition was set based upon.
                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
                        with respect to the current state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
                      description: |-
                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
                        Producers of specific condition types may define expected values and meanings for this field,
                        and whether the values are considered a guaranteed API.
                        The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
                      enum:
                      - "True"
                      - "False"
                      - Unknown
                      type: string
                    type:
                      description: |-
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        ---
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
                        useful (see .node.status.conditions), the ability to deconflict is important.
                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
                  required:
                  - lastTransitionTime
                  - message
                  - reason
                  - status
                  - type
                  type: object
                type: array
              lastExecutionTime:
                format: date-time
                type: string
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
  - additionalPrinterColumns:
    - jsonPath: .spec.schedule
      name: Schedule
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    deprecated: true
    name: v2beta1
    schema:
      openAPIV3Schema:
        description: CleanupPolicy defines a rule for resource cleanup.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: Spec declares policy behaviors.
            properties:
              conditions:
                description: Conditions defines the conditions used to select the
                  resources which will be cleaned up.
                properties:
                  all:
                    description: |-
                      AllConditions enable variable-based conditional rule execution. This is useful for
                      finer control of when an rule is applied. A condition can reference object data
                      using JMESPath notation.
                      Here, all of the conditions need to pass.
                    items:
                      properties:
                        key:
                          description: Key is the context entry (using JMESPath) for
                            conditional rule evaluation.
                          x-kubernetes-preserve-unknown-fields: true
                        message:
                          description: Message is an optional display message
                          type: string
                        operator:
                          description: |-
                            Operator is the conditional operation to perform. Valid operators are:
                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                            DurationLessThanOrEquals, DurationLessThan
                          enum:
                          - Equals
                          - NotEquals
                          - AnyIn
                          - AllIn
                          - AnyNotIn
                          - AllNotIn
                          - GreaterThanOrEquals
                          - GreaterThan
                          - LessThanOrEquals
                          - LessThan
                          - DurationGreaterThanOrEquals
                          - DurationGreaterThan
                          - DurationLessThanOrEquals
                          - DurationLessThan
                          type: string
                        value:
                          description: |-
                            Value is the conditional value, or set of values. The values can be fixed set
                            or can be variables declared using JMESPath.
                          x-kubernetes-preserve-unknown-fields: true
                      type: object
                    type: array
                  any:
                    description: |-
                      AnyConditions enable variable-based conditional rule execution. This is useful for
                      finer control of when an rule is applied. A condition can reference object data
                      using JMESPath notation.
                      Here, at least one of the conditions need to pass.
                    items:
                      properties:
                        key:
                          description: Key is the context entry (using JMESPath) for
                            conditional rule evaluation.
                          x-kubernetes-preserve-unknown-fields: true
                        message:
                          description: Message is an optional display message
                          type: string
                        operator:
                          description: |-
                            Operator is the conditional operation to perform. Valid operators are:
                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                            DurationLessThanOrEquals, DurationLessThan
                          enum:
                          - Equals
                          - NotEquals
                          - AnyIn
                          - AllIn
                          - AnyNotIn
                          - AllNotIn
                          - GreaterThanOrEquals
                          - GreaterThan
                          - LessThanOrEquals
                          - LessThan
                          - DurationGreaterThanOrEquals
                          - DurationGreaterThan
                          - DurationLessThanOrEquals
                          - DurationLessThan
                          type: string
                        value:
                          description: |-
                            Value is the conditional value, or set of values. The values can be fixed set
                            or can be variables declared using JMESPath.
                          x-kubernetes-preserve-unknown-fields: true
                      type: object
                    type: array
                type: object
              context:
                description: Context defines variables and data sources that can be
                  used during rule execution.
                items:
                  description: |-
                    ContextEntry adds variables and data sources to a rule Context. Either a
                    ConfigMap reference or a APILookup must be provided.
                  properties:
                    apiCall:
                      description: |-
                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                        The data returned is stored in the context with the name for the context entry.
                      properties:
                        data:
                          description: |-
                            The data object specifies the POST data sent to the server.
                            Only applicable when the method field is set to POST.
                          items:
                            description: RequestData contains the HTTP POST data
                            properties:
                              key:
                                description: Key is a unique identifier for the data
                                  value
                                type: string
                              value:
                                description: Value is the data value
                                x-kubernetes-preserve-unknown-fields: true
                            required:
                            - key
                            - value
                            type: object
                          type: array
                        jmesPath:
                          description: |-
                            JMESPath is an optional JSON Match Expression that can be used to
                            transform the JSON response returned from the server. For example
                            a JMESPath of "items | length(@)" applied to the API server response
                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                            of deployments across all namespaces.
                          type: string
                        method:
                          default: GET
                          description: Method is the HTTP request type (GET or POST).
                            Defaults to GET.
                          enum:
                          - GET
                          - POST
                          type: string
                        service:
                          description: |-
                            Service is an API call to a JSON web service.
                            This is used for non-Kubernetes API server calls.
                            It's mutually exclusive with the URLPath field.
                          properties:
                            caBundle:
                              description: |-
                                CABundle is a PEM encoded CA bundle which will be used to validate
                                the server certificate.
                              type: string
                            url:
                              description: |-
                                URL is the JSON web service URL. A typical form is
                                `https://{service}.{namespace}:{port}/{path}`.
                              type: string
                          required:
                          - url
                          type: object
                        urlPath:
                          description: |-
                            URLPath is the URL path to be used in the HTTP GET or POST request to the
                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                            The format required is the same format used by the `kubectl get --raw` command.
                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                            for details.
                            It's mutually exclusive with the Service field.
                          type: string
                      type: object
                    configMap:
                      description: ConfigMap is the ConfigMap reference.
                      properties:
                        name:
                          description: Name is the ConfigMap name.
                          type: string
                        namespace:
                          description: Namespace is the ConfigMap namespace.
                          type: string
                      required:
                      - name
                      type: object
                    globalReference:
                      description: GlobalContextEntryReference is a reference to a
                        cached global context entry.
                      properties:
                        jmesPath:
                          description: |-
                            JMESPath is an optional JSON Match Expression that can be used to
                            transform the JSON response returned from the server. For example
                            a JMESPath of "items | length(@)" applied to the API server response
                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                            of deployments across all namespaces.
                          type: string
                        name:
                          description: Name of the global context entry
                          type: string
                      type: object
                    imageRegistry:
                      description: |-
                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                        details.
                      properties:
                        imageRegistryCredentials:
                          description: ImageRegistryCredentials provides credentials
                            that will be used for authentication with registry
                          properties:
                            allowInsecureRegistry:
                              description: AllowInsecureRegistry allows insecure access
                                to a registry.
                              type: boolean
                            providers:
                              description: |-
                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                It can be of one of these values: default,google,azure,amazon,github.
                              items:
                                description: ImageRegistryCredentialsProvidersType
                                  provides the list of credential providers required.
                                enum:
                                - default
                                - amazon
                                - azure
                                - google
                                - github
                                type: string
                              type: array
                            secrets:
                              description: |-
                                Secrets specifies a list of secrets that are provided for credentials.
                                Secrets must live in the Kyverno namespace.
                              items:
                                type: string
                              type: array
                          type: object
                        jmesPath:
                          description: |-
                            JMESPath is an optional JSON Match Expression that can be used to
                            transform the ImageData struct returned as a result of processing
                            the image reference.
                          type: string
                        reference:
                          description: |-
                            Reference is image reference to a container image in the registry.
                            Example: ghcr.io/kyverno/kyverno:latest
                          type: string
                      required:
                      - reference
                      type: object
                    name:
                      description: Name is the variable name.
                      type: string
                    variable:
                      description: Variable defines an arbitrary JMESPath context
                        variable that can be defined inline.
                      properties:
                        default:
                          description: |-
                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                            expression evaluates to nil
                          x-kubernetes-preserve-unknown-fields: true
                        jmesPath:
                          description: |-
                            JMESPath is an optional JMESPath Expression that can be used to
                            transform the variable.
                          type: string
                        value:
                          description: Value is any arbitrary JSON object representable
                            in YAML or JSON form.
                          x-kubernetes-preserve-unknown-fields: true
                      type: object
                  type: object
                type: array
              exclude:
                description: |-
                  ExcludeResources defines when cleanuppolicy should not be applied. The exclude
                  criteria can include resource information (e.g. kind, name, namespace, labels)
                  and admission review request information like the name or role.
                properties:
                  all:
                    description: All allows specifying resources which will be ANDed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                  any:
                    description: Any allows specifying resources which will be ORed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                type: object
              match:
                description: |-
                  MatchResources defines when cleanuppolicy should be applied. The match
                  criteria can include resource information (e.g. kind, name, namespace, labels)
                  and admission review request information like the user name or role.
                  At least one kind is required.
                properties:
                  all:
                    description: All allows specifying resources which will be ANDed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                  any:
                    description: Any allows specifying resources which will be ORed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                type: object
              schedule:
                description: The schedule in Cron format
                type: string
            required:
            - schedule
            type: object
          status:
            description: Status contains policy runtime data.
            properties:
              conditions:
                items:
                  description: "Condition contains details for one aspect of the current
                    state of this API Resource.\n---\nThis struct is intended for
                    direct use as an array at the field path .status.conditions.  For
                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
                    observations of a foo's current state.\n\t    // Known .status.conditions.type
                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
                    \   // other fields\n\t}"
                  properties:
                    lastTransitionTime:
                      description: |-
                        lastTransitionTime is the last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
                        message is a human readable message indicating details about the transition.
                        This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
                      description: |-
                        observedGeneration represents the .metadata.generation that the condition was set based upon.
                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
                        with respect to the current state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
                      description: |-
                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
                        Producers of specific condition types may define expected values and meanings for this field,
                        and whether the values are considered a guaranteed API.
                        The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
                      enum:
                      - "True"
                      - "False"
                      - Unknown
                      type: string
                    type:
                      description: |-
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        ---
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
                        useful (see .node.status.conditions), the ability to deconflict is important.
                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
                  required:
                  - lastTransitionTime
                  - message
                  - reason
                  - status
                  - type
                  type: object
                type: array
              lastExecutionTime:
                format: date-time
                type: string
            type: object
        required:
        - spec
        type: object
    served: true
    storage: false
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: kyverno-crds
    app.kubernetes.io/version: v0.0.0
    helm.sh/chart: crds-v0.0.0
  annotations:
    controller-gen.kubebuilder.io/version: v0.15.0
  name: clustercleanuppolicies.kyverno.io
spec:
  group: kyverno.io
  names:
    categories:
    - kyverno
    kind: ClusterCleanupPolicy
    listKind: ClusterCleanupPolicyList
    plural: clustercleanuppolicies
    shortNames:
    - ccleanpol
    singular: clustercleanuppolicy
  scope: Cluster
  versions:
  - additionalPrinterColumns:
    - jsonPath: .spec.schedule
      name: Schedule
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v2
    schema:
      openAPIV3Schema:
        description: ClusterCleanupPolicy defines rule for resource cleanup.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: Spec declares policy behaviors.
            properties:
              conditions:
                description: Conditions defines the conditions used to select the
                  resources which will be cleaned up.
                properties:
                  all:
                    description: |-
                      AllConditions enable variable-based conditional rule execution. This is useful for
                      finer control of when an rule is applied. A condition can reference object data
                      using JMESPath notation.
                      Here, all of the conditions need to pass.
                    items:
                      properties:
                        key:
                          description: Key is the context entry (using JMESPath) for
                            conditional rule evaluation.
                          x-kubernetes-preserve-unknown-fields: true
                        message:
                          description: Message is an optional display message
                          type: string
                        operator:
                          description: |-
                            Operator is the conditional operation to perform. Valid operators are:
                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                            DurationLessThanOrEquals, DurationLessThan
                          enum:
                          - Equals
                          - NotEquals
                          - AnyIn
                          - AllIn
                          - AnyNotIn
                          - AllNotIn
                          - GreaterThanOrEquals
                          - GreaterThan
                          - LessThanOrEquals
                          - LessThan
                          - DurationGreaterThanOrEquals
                          - DurationGreaterThan
                          - DurationLessThanOrEquals
                          - DurationLessThan
                          type: string
                        value:
                          description: |-
                            Value is the conditional value, or set of values. The values can be fixed set
                            or can be variables declared using JMESPath.
                          x-kubernetes-preserve-unknown-fields: true
                      type: object
                    type: array
                  any:
                    description: |-
                      AnyConditions enable variable-based conditional rule execution. This is useful for
                      finer control of when an rule is applied. A condition can reference object data
                      using JMESPath notation.
                      Here, at least one of the conditions need to pass.
                    items:
                      properties:
                        key:
                          description: Key is the context entry (using JMESPath) for
                            conditional rule evaluation.
                          x-kubernetes-preserve-unknown-fields: true
                        message:
                          description: Message is an optional display message
                          type: string
                        operator:
                          description: |-
                            Operator is the conditional operation to perform. Valid operators are:
                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                            DurationLessThanOrEquals, DurationLessThan
                          enum:
                          - Equals
                          - NotEquals
                          - AnyIn
                          - AllIn
                          - AnyNotIn
                          - AllNotIn
                          - GreaterThanOrEquals
                          - GreaterThan
                          - LessThanOrEquals
                          - LessThan
                          - DurationGreaterThanOrEquals
                          - DurationGreaterThan
                          - DurationLessThanOrEquals
                          - DurationLessThan
                          type: string
                        value:
                          description: |-
                            Value is the conditional value, or set of values. The values can be fixed set
                            or can be variables declared using JMESPath.
                          x-kubernetes-preserve-unknown-fields: true
                      type: object
                    type: array
                type: object
              context:
                description: Context defines variables and data sources that can be
                  used during rule execution.
                items:
                  description: |-
                    ContextEntry adds variables and data sources to a rule Context. Either a
                    ConfigMap reference or a APILookup must be provided.
                  properties:
                    apiCall:
                      description: |-
                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                        The data returned is stored in the context with the name for the context entry.
                      properties:
                        data:
                          description: |-
                            The data object specifies the POST data sent to the server.
                            Only applicable when the method field is set to POST.
                          items:
                            description: RequestData contains the HTTP POST data
                            properties:
                              key:
                                description: Key is a unique identifier for the data
                                  value
                                type: string
                              value:
                                description: Value is the data value
                                x-kubernetes-preserve-unknown-fields: true
                            required:
                            - key
                            - value
                            type: object
                          type: array
                        jmesPath:
                          description: |-
                            JMESPath is an optional JSON Match Expression that can be used to
                            transform the JSON response returned from the server. For example
                            a JMESPath of "items | length(@)" applied to the API server response
                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                            of deployments across all namespaces.
                          type: string
                        method:
                          default: GET
                          description: Method is the HTTP request type (GET or POST).
                            Defaults to GET.
                          enum:
                          - GET
                          - POST
                          type: string
                        service:
                          description: |-
                            Service is an API call to a JSON web service.
                            This is used for non-Kubernetes API server calls.
                            It's mutually exclusive with the URLPath field.
                          properties:
                            caBundle:
                              description: |-
                                CABundle is a PEM encoded CA bundle which will be used to validate
                                the server certificate.
                              type: string
                            url:
                              description: |-
                                URL is the JSON web service URL. A typical form is
                                `https://{service}.{namespace}:{port}/{path}`.
                              type: string
                          required:
                          - url
                          type: object
                        urlPath:
                          description: |-
                            URLPath is the URL path to be used in the HTTP GET or POST request to the
                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                            The format required is the same format used by the `kubectl get --raw` command.
                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                            for details.
                            It's mutually exclusive with the Service field.
                          type: string
                      type: object
                    configMap:
                      description: ConfigMap is the ConfigMap reference.
                      properties:
                        name:
                          description: Name is the ConfigMap name.
                          type: string
                        namespace:
                          description: Namespace is the ConfigMap namespace.
                          type: string
                      required:
                      - name
                      type: object
                    globalReference:
                      description: GlobalContextEntryReference is a reference to a
                        cached global context entry.
                      properties:
                        jmesPath:
                          description: |-
                            JMESPath is an optional JSON Match Expression that can be used to
                            transform the JSON response returned from the server. For example
                            a JMESPath of "items | length(@)" applied to the API server response
                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                            of deployments across all namespaces.
                          type: string
                        name:
                          description: Name of the global context entry
                          type: string
                      type: object
                    imageRegistry:
                      description: |-
                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                        details.
                      properties:
                        imageRegistryCredentials:
                          description: ImageRegistryCredentials provides credentials
                            that will be used for authentication with registry
                          properties:
                            allowInsecureRegistry:
                              description: AllowInsecureRegistry allows insecure access
                                to a registry.
                              type: boolean
                            providers:
                              description: |-
                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                It can be of one of these values: default,google,azure,amazon,github.
                              items:
                                description: ImageRegistryCredentialsProvidersType
                                  provides the list of credential providers required.
                                enum:
                                - default
                                - amazon
                                - azure
                                - google
                                - github
                                type: string
                              type: array
                            secrets:
                              description: |-
                                Secrets specifies a list of secrets that are provided for credentials.
                                Secrets must live in the Kyverno namespace.
                              items:
                                type: string
                              type: array
                          type: object
                        jmesPath:
                          description: |-
                            JMESPath is an optional JSON Match Expression that can be used to
                            transform the ImageData struct returned as a result of processing
                            the image reference.
                          type: string
                        reference:
                          description: |-
                            Reference is image reference to a container image in the registry.
                            Example: ghcr.io/kyverno/kyverno:latest
                          type: string
                      required:
                      - reference
                      type: object
                    name:
                      description: Name is the variable name.
                      type: string
                    variable:
                      description: Variable defines an arbitrary JMESPath context
                        variable that can be defined inline.
                      properties:
                        default:
                          description: |-
                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                            expression evaluates to nil
                          x-kubernetes-preserve-unknown-fields: true
                        jmesPath:
                          description: |-
                            JMESPath is an optional JMESPath Expression that can be used to
                            transform the variable.
                          type: string
                        value:
                          description: Value is any arbitrary JSON object representable
                            in YAML or JSON form.
                          x-kubernetes-preserve-unknown-fields: true
                      type: object
                  type: object
                type: array
              exclude:
                description: |-
                  ExcludeResources defines when cleanuppolicy should not be applied. The exclude
                  criteria can include resource information (e.g. kind, name, namespace, labels)
                  and admission review request information like the name or role.
                properties:
                  all:
                    description: All allows specifying resources which will be ANDed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                  any:
                    description: Any allows specifying resources which will be ORed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                type: object
              match:
                description: |-
                  MatchResources defines when cleanuppolicy should be applied. The match
                  criteria can include resource information (e.g. kind, name, namespace, labels)
                  and admission review request information like the user name or role.
                  At least one kind is required.
                properties:
                  all:
                    description: All allows specifying resources which will be ANDed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                  any:
                    description: Any allows specifying resources which will be ORed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                type: object
              schedule:
                description: The schedule in Cron format
                type: string
            required:
            - schedule
            type: object
          status:
            description: Status contains policy runtime data.
            properties:
              conditions:
                items:
                  description: "Condition contains details for one aspect of the current
                    state of this API Resource.\n---\nThis struct is intended for
                    direct use as an array at the field path .status.conditions.  For
                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
                    observations of a foo's current state.\n\t    // Known .status.conditions.type
                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
                    \   // other fields\n\t}"
                  properties:
                    lastTransitionTime:
                      description: |-
                        lastTransitionTime is the last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
                        message is a human readable message indicating details about the transition.
                        This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
                      description: |-
                        observedGeneration represents the .metadata.generation that the condition was set based upon.
                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
                        with respect to the current state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
                      description: |-
                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
                        Producers of specific condition types may define expected values and meanings for this field,
                        and whether the values are considered a guaranteed API.
                        The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
                      enum:
                      - "True"
                      - "False"
                      - Unknown
                      type: string
                    type:
                      description: |-
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        ---
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
                        useful (see .node.status.conditions), the ability to deconflict is important.
                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
                  required:
                  - lastTransitionTime
                  - message
                  - reason
                  - status
                  - type
                  type: object
                type: array
              lastExecutionTime:
                format: date-time
                type: string
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
  - additionalPrinterColumns:
    - jsonPath: .spec.schedule
      name: Schedule
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    deprecated: true
    name: v2beta1
    schema:
      openAPIV3Schema:
        description: ClusterCleanupPolicy defines rule for resource cleanup.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: Spec declares policy behaviors.
            properties:
              conditions:
                description: Conditions defines the conditions used to select the
                  resources which will be cleaned up.
                properties:
                  all:
                    description: |-
                      AllConditions enable variable-based conditional rule execution. This is useful for
                      finer control of when an rule is applied. A condition can reference object data
                      using JMESPath notation.
                      Here, all of the conditions need to pass.
                    items:
                      properties:
                        key:
                          description: Key is the context entry (using JMESPath) for
                            conditional rule evaluation.
                          x-kubernetes-preserve-unknown-fields: true
                        message:
                          description: Message is an optional display message
                          type: string
                        operator:
                          description: |-
                            Operator is the conditional operation to perform. Valid operators are:
                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                            DurationLessThanOrEquals, DurationLessThan
                          enum:
                          - Equals
                          - NotEquals
                          - AnyIn
                          - AllIn
                          - AnyNotIn
                          - AllNotIn
                          - GreaterThanOrEquals
                          - GreaterThan
                          - LessThanOrEquals
                          - LessThan
                          - DurationGreaterThanOrEquals
                          - DurationGreaterThan
                          - DurationLessThanOrEquals
                          - DurationLessThan
                          type: string
                        value:
                          description: |-
                            Value is the conditional value, or set of values. The values can be fixed set
                            or can be variables declared using JMESPath.
                          x-kubernetes-preserve-unknown-fields: true
                      type: object
                    type: array
                  any:
                    description: |-
                      AnyConditions enable variable-based conditional rule execution. This is useful for
                      finer control of when an rule is applied. A condition can reference object data
                      using JMESPath notation.
                      Here, at least one of the conditions need to pass.
                    items:
                      properties:
                        key:
                          description: Key is the context entry (using JMESPath) for
                            conditional rule evaluation.
                          x-kubernetes-preserve-unknown-fields: true
                        message:
                          description: Message is an optional display message
                          type: string
                        operator:
                          description: |-
                            Operator is the conditional operation to perform. Valid operators are:
                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                            DurationLessThanOrEquals, DurationLessThan
                          enum:
                          - Equals
                          - NotEquals
                          - AnyIn
                          - AllIn
                          - AnyNotIn
                          - AllNotIn
                          - GreaterThanOrEquals
                          - GreaterThan
                          - LessThanOrEquals
                          - LessThan
                          - DurationGreaterThanOrEquals
                          - DurationGreaterThan
                          - DurationLessThanOrEquals
                          - DurationLessThan
                          type: string
                        value:
                          description: |-
                            Value is the conditional value, or set of values. The values can be fixed set
                            or can be variables declared using JMESPath.
                          x-kubernetes-preserve-unknown-fields: true
                      type: object
                    type: array
                type: object
              context:
                description: Context defines variables and data sources that can be
                  used during rule execution.
                items:
                  description: |-
                    ContextEntry adds variables and data sources to a rule Context. Either a
                    ConfigMap reference or a APILookup must be provided.
                  properties:
                    apiCall:
                      description: |-
                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                        The data returned is stored in the context with the name for the context entry.
                      properties:
                        data:
                          description: |-
                            The data object specifies the POST data sent to the server.
                            Only applicable when the method field is set to POST.
                          items:
                            description: RequestData contains the HTTP POST data
                            properties:
                              key:
                                description: Key is a unique identifier for the data
                                  value
                                type: string
                              value:
                                description: Value is the data value
                                x-kubernetes-preserve-unknown-fields: true
                            required:
                            - key
                            - value
                            type: object
                          type: array
                        jmesPath:
                          description: |-
                            JMESPath is an optional JSON Match Expression that can be used to
                            transform the JSON response returned from the server. For example
                            a JMESPath of "items | length(@)" applied to the API server response
                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                            of deployments across all namespaces.
                          type: string
                        method:
                          default: GET
                          description: Method is the HTTP request type (GET or POST).
                            Defaults to GET.
                          enum:
                          - GET
                          - POST
                          type: string
                        service:
                          description: |-
                            Service is an API call to a JSON web service.
                            This is used for non-Kubernetes API server calls.
                            It's mutually exclusive with the URLPath field.
                          properties:
                            caBundle:
                              description: |-
                                CABundle is a PEM encoded CA bundle which will be used to validate
                                the server certificate.
                              type: string
                            url:
                              description: |-
                                URL is the JSON web service URL. A typical form is
                                `https://{service}.{namespace}:{port}/{path}`.
                              type: string
                          required:
                          - url
                          type: object
                        urlPath:
                          description: |-
                            URLPath is the URL path to be used in the HTTP GET or POST request to the
                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                            The format required is the same format used by the `kubectl get --raw` command.
                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                            for details.
                            It's mutually exclusive with the Service field.
                          type: string
                      type: object
                    configMap:
                      description: ConfigMap is the ConfigMap reference.
                      properties:
                        name:
                          description: Name is the ConfigMap name.
                          type: string
                        namespace:
                          description: Namespace is the ConfigMap namespace.
                          type: string
                      required:
                      - name
                      type: object
                    globalReference:
                      description: GlobalContextEntryReference is a reference to a
                        cached global context entry.
                      properties:
                        jmesPath:
                          description: |-
                            JMESPath is an optional JSON Match Expression that can be used to
                            transform the JSON response returned from the server. For example
                            a JMESPath of "items | length(@)" applied to the API server response
                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                            of deployments across all namespaces.
                          type: string
                        name:
                          description: Name of the global context entry
                          type: string
                      type: object
                    imageRegistry:
                      description: |-
                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                        details.
                      properties:
                        imageRegistryCredentials:
                          description: ImageRegistryCredentials provides credentials
                            that will be used for authentication with registry
                          properties:
                            allowInsecureRegistry:
                              description: AllowInsecureRegistry allows insecure access
                                to a registry.
                              type: boolean
                            providers:
                              description: |-
                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                It can be of one of these values: default,google,azure,amazon,github.
                              items:
                                description: ImageRegistryCredentialsProvidersType
                                  provides the list of credential providers required.
                                enum:
                                - default
                                - amazon
                                - azure
                                - google
                                - github
                                type: string
                              type: array
                            secrets:
                              description: |-
                                Secrets specifies a list of secrets that are provided for credentials.
                                Secrets must live in the Kyverno namespace.
                              items:
                                type: string
                              type: array
                          type: object
                        jmesPath:
                          description: |-
                            JMESPath is an optional JSON Match Expression that can be used to
                            transform the ImageData struct returned as a result of processing
                            the image reference.
                          type: string
                        reference:
                          description: |-
                            Reference is image reference to a container image in the registry.
                            Example: ghcr.io/kyverno/kyverno:latest
                          type: string
                      required:
                      - reference
                      type: object
                    name:
                      description: Name is the variable name.
                      type: string
                    variable:
                      description: Variable defines an arbitrary JMESPath context
                        variable that can be defined inline.
                      properties:
                        default:
                          description: |-
                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                            expression evaluates to nil
                          x-kubernetes-preserve-unknown-fields: true
                        jmesPath:
                          description: |-
                            JMESPath is an optional JMESPath Expression that can be used to
                            transform the variable.
                          type: string
                        value:
                          description: Value is any arbitrary JSON object representable
                            in YAML or JSON form.
                          x-kubernetes-preserve-unknown-fields: true
                      type: object
                  type: object
                type: array
              exclude:
                description: |-
                  ExcludeResources defines when cleanuppolicy should not be applied. The exclude
                  criteria can include resource information (e.g. kind, name, namespace, labels)
                  and admission review request information like the name or role.
                properties:
                  all:
                    description: All allows specifying resources which will be ANDed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                  any:
                    description: Any allows specifying resources which will be ORed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                type: object
              match:
                description: |-
                  MatchResources defines when cleanuppolicy should be applied. The match
                  criteria can include resource information (e.g. kind, name, namespace, labels)
                  and admission review request information like the user name or role.
                  At least one kind is required.
                properties:
                  all:
                    description: All allows specifying resources which will be ANDed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                  any:
                    description: Any allows specifying resources which will be ORed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                type: object
              schedule:
                description: The schedule in Cron format
                type: string
            required:
            - schedule
            type: object
          status:
            description: Status contains policy runtime data.
            properties:
              conditions:
                items:
                  description: "Condition contains details for one aspect of the current
                    state of this API Resource.\n---\nThis struct is intended for
                    direct use as an array at the field path .status.conditions.  For
                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
                    observations of a foo's current state.\n\t    // Known .status.conditions.type
                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
                    \   // other fields\n\t}"
                  properties:
                    lastTransitionTime:
                      description: |-
                        lastTransitionTime is the last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
                        message is a human readable message indicating details about the transition.
                        This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
                      description: |-
                        observedGeneration represents the .metadata.generation that the condition was set based upon.
                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
                        with respect to the current state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
                      description: |-
                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
                        Producers of specific condition types may define expected values and meanings for this field,
                        and whether the values are considered a guaranteed API.
                        The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
                      enum:
                      - "True"
                      - "False"
                      - Unknown
                      type: string
                    type:
                      description: |-
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        ---
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
                        useful (see .node.status.conditions), the ability to deconflict is important.
                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
                  required:
                  - lastTransitionTime
                  - message
                  - reason
                  - status
                  - type
                  type: object
                type: array
              lastExecutionTime:
                format: date-time
                type: string
            type: object
        required:
        - spec
        type: object
    served: true
    storage: false
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: kyverno-crds
    app.kubernetes.io/version: v0.0.0
    helm.sh/chart: crds-v0.0.0
  annotations:
    controller-gen.kubebuilder.io/version: v0.15.0
  name: clusterpolicies.kyverno.io
spec:
  group: kyverno.io
  names:
    categories:
    - kyverno
    kind: ClusterPolicy
    listKind: ClusterPolicyList
    plural: clusterpolicies
    shortNames:
    - cpol
    singular: clusterpolicy
  scope: Cluster
  versions:
  - additionalPrinterColumns:
    - jsonPath: .spec.admission
      name: ADMISSION
      type: boolean
    - jsonPath: .spec.background
      name: BACKGROUND
      type: boolean
    - jsonPath: .spec.validationFailureAction
      name: VALIDATE ACTION
      type: string
    - jsonPath: .status.conditions[?(@.type == "Ready")].status
      name: READY
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: AGE
      type: date
    - jsonPath: .spec.failurePolicy
      name: FAILURE POLICY
      priority: 1
      type: string
    - jsonPath: .status.rulecount.validate
      name: VALIDATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.mutate
      name: MUTATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.generate
      name: GENERATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.verifyimages
      name: VERIFY IMAGES
      priority: 1
      type: integer
    - jsonPath: .status.conditions[?(@.type == "Ready")].message
      name: MESSAGE
      type: string
    name: v1
    schema:
      openAPIV3Schema:
        description: ClusterPolicy declares validation, mutation, and generation behaviors
          for matching resources.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: Spec declares policy behaviors.
            properties:
              admission:
                default: true
                description: |-
                  Admission controls if rules are applied during admission.
                  Optional. Default value is "true".
                type: boolean
              applyRules:
                description: |-
                  ApplyRules controls how rules in a policy are applied. Rule are processed in
                  the order of declaration. When set to `One` processing stops after a rule has
                  been applied i.e. the rule matches and results in a pass, fail, or error. When
                  set to `All` all rules in the policy are processed. The default is `All`.
                enum:
                - All
                - One
                type: string
              background:
                default: true
                description: |-
                  Background controls if rules are applied to existing resources during a background scan.
                  Optional. Default value is "true". The value must be set to "false" if the policy rule
                  uses variables that are only available in the admission review request (e.g. user name).
                type: boolean
              failurePolicy:
                description: Deprecated, use failurePolicy under the webhookConfiguration
                  instead.
                enum:
                - Ignore
                - Fail
                type: string
              generateExisting:
                description: Deprecated, use generateExisting under the generate rule
                  instead
                type: boolean
              generateExistingOnPolicyUpdate:
                description: Deprecated, use generateExisting instead
                type: boolean
              mutateExistingOnPolicyUpdate:
                description: Deprecated, use mutateExistingOnPolicyUpdate under the
                  mutate rule instead
                type: boolean
              rules:
                description: |-
                  Rules is a list of Rule instances. A Policy contains multiple rules and
                  each rule can validate, mutate, or generate resources.
                items:
                  description: |-
                    Rule defines a validation, mutation, or generation control for matching resources.
                    Each rules contains a match declaration to select resources, and an optional exclude
                    declaration to specify which resources to exclude.
                  properties:
                    celPreconditions:
                      description: |-
                        CELPreconditions are used to determine if a policy rule should be applied by evaluating a
                        set of CEL conditions. It can only be used with the validate.cel subrule
                      items:
                        description: MatchCondition represents a condition which must
                          by fulfilled for a request to be sent to a webhook.
                        properties:
                          expression:
                            description: |-
                              Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
                              CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:


                              'object' - The object from the incoming request. The value is null for DELETE requests.
                              'oldObject' - The existing object. The value is null for CREATE requests.
                              'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
                              'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
                                See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                              'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
                                request resource.
                              Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/


                              Required.
                            type: string
                          name:
                            description: |-
                              Name is an identifier for this match condition, used for strategic merging of MatchConditions,
                              as well as providing an identifier for logging purposes. A good name should be descriptive of
                              the associated expression.
                              Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
                              must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
                              '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
                              optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')


                              Required.
                            type: string
                        required:
                        - expression
                        - name
                        type: object
                      type: array
                    context:
                      description: Context defines variables and data sources that
                        can be used during rule execution.
                      items:
                        description: |-
                          ContextEntry adds variables and data sources to a rule Context. Either a
                          ConfigMap reference or a APILookup must be provided.
                        properties:
                          apiCall:
                            description: |-
                              APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                              The data returned is stored in the context with the name for the context entry.
                            properties:
                              data:
                                description: |-
                                  The data object specifies the POST data sent to the server.
                                  Only applicable when the method field is set to POST.
                                items:
                                  description: RequestData contains the HTTP POST
                                    data
                                  properties:
                                    key:
                                      description: Key is a unique identifier for
                                        the data value
                                      type: string
                                    value:
                                      description: Value is the data value
                                      x-kubernetes-preserve-unknown-fields: true
                                  required:
                                  - key
                                  - value
                                  type: object
                                type: array
                              jmesPath:
                                description: |-
                                  JMESPath is an optional JSON Match Expression that can be used to
                                  transform the JSON response returned from the server. For example
                                  a JMESPath of "items | length(@)" applied to the API server response
                                  for the URLPath "/apis/apps/v1/deployments" will return the total count
                                  of deployments across all namespaces.
                                type: string
                              method:
                                default: GET
                                description: Method is the HTTP request type (GET
                                  or POST). Defaults to GET.
                                enum:
                                - GET
                                - POST
                                type: string
                              service:
                                description: |-
                                  Service is an API call to a JSON web service.
                                  This is used for non-Kubernetes API server calls.
                                  It's mutually exclusive with the URLPath field.
                                properties:
                                  caBundle:
                                    description: |-
                                      CABundle is a PEM encoded CA bundle which will be used to validate
                                      the server certificate.
                                    type: string
                                  url:
                                    description: |-
                                      URL is the JSON web service URL. A typical form is
                                      `https://{service}.{namespace}:{port}/{path}`.
                                    type: string
                                required:
                                - url
                                type: object
                              urlPath:
                                description: |-
                                  URLPath is the URL path to be used in the HTTP GET or POST request to the
                                  Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                  The format required is the same format used by the `kubectl get --raw` command.
                                  See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                  for details.
                                  It's mutually exclusive with the Service field.
                                type: string
                            type: object
                          configMap:
                            description: ConfigMap is the ConfigMap reference.
                            properties:
                              name:
                                description: Name is the ConfigMap name.
                                type: string
                              namespace:
                                description: Namespace is the ConfigMap namespace.
                                type: string
                            required:
                            - name
                            type: object
                          globalReference:
                            description: GlobalContextEntryReference is a reference
                              to a cached global context entry.
                            properties:
                              jmesPath:
                                description: |-
                                  JMESPath is an optional JSON Match Expression that can be used to
                                  transform the JSON response returned from the server. For example
                                  a JMESPath of "items | length(@)" applied to the API server response
                                  for the URLPath "/apis/apps/v1/deployments" will return the total count
                                  of deployments across all namespaces.
                                type: string
                              name:
                                description: Name of the global context entry
                                type: string
                            type: object
                          imageRegistry:
                            description: |-
                              ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                              details.
                            properties:
                              imageRegistryCredentials:
                                description: ImageRegistryCredentials provides credentials
                                  that will be used for authentication with registry
                                properties:
                                  allowInsecureRegistry:
                                    description: AllowInsecureRegistry allows insecure
                                      access to a registry.
                                    type: boolean
                                  providers:
                                    description: |-
                                      Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                      It can be of one of these values: default,google,azure,amazon,github.
                                    items:
                                      description: ImageRegistryCredentialsProvidersType
                                        provides the list of credential providers
                                        required.
                                      enum:
                                      - default
                                      - amazon
                                      - azure
                                      - google
                                      - github
                                      type: string
                                    type: array
                                  secrets:
                                    description: |-
                                      Secrets specifies a list of secrets that are provided for credentials.
                                      Secrets must live in the Kyverno namespace.
                                    items:
                                      type: string
                                    type: array
                                type: object
                              jmesPath:
                                description: |-
                                  JMESPath is an optional JSON Match Expression that can be used to
                                  transform the ImageData struct returned as a result of processing
                                  the image reference.
                                type: string
                              reference:
                                description: |-
                                  Reference is image reference to a container image in the registry.
                                  Example: ghcr.io/kyverno/kyverno:latest
                                type: string
                            required:
                            - reference
                            type: object
                          name:
                            description: Name is the variable name.
                            type: string
                          variable:
                            description: Variable defines an arbitrary JMESPath context
                              variable that can be defined inline.
                            properties:
                              default:
                                description: |-
                                  Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                  expression evaluates to nil
                                x-kubernetes-preserve-unknown-fields: true
                              jmesPath:
                                description: |-
                                  JMESPath is an optional JMESPath Expression that can be used to
                                  transform the variable.
                                type: string
                              value:
                                description: Value is any arbitrary JSON object representable
                                  in YAML or JSON form.
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                        type: object
                      type: array
                    exclude:
                      description: |-
                        ExcludeResources defines when this policy rule should not be applied. The exclude
                        criteria can include resource information (e.g. kind, name, namespace, labels)
                        and admission review request information like the name or role.
                      properties:
                        all:
                          description: All allows specifying resources which will
                            be ANDed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: |-
                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                      and values support the wildcard characters "*" (matches zero or many characters) and
                                      "?" (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: |-
                                      Name is the name of the resource. The name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                      NOTE: "Name" is being deprecated in favor of "Names".
                                    type: string
                                  names:
                                    description: |-
                                      Names are the names of the resources. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: |-
                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                      and `?` (matches one character).Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                      does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: |-
                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: |-
                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                      characters `*` (matches zero or many characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: |-
                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                    or a value for non-objects such as user and group names.
                                  properties:
                                    apiGroup:
                                      description: |-
                                        APIGroup holds the API group of the referenced subject.
                                        Defaults to "" for ServiceAccount subjects.
                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                      type: string
                                    kind:
                                      description: |-
                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: |-
                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        any:
                          description: Any allows specifying resources which will
                            be ORed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: |-
                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                      and values support the wildcard characters "*" (matches zero or many characters) and
                                      "?" (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: |-
                                      Name is the name of the resource. The name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                      NOTE: "Name" is being deprecated in favor of "Names".
                                    type: string
                                  names:
                                    description: |-
                                      Names are the names of the resources. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: |-
                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                      and `?` (matches one character).Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                      does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: |-
                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: |-
                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                      characters `*` (matches zero or many characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: |-
                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                    or a value for non-objects such as user and group names.
                                  properties:
                                    apiGroup:
                                      description: |-
                                        APIGroup holds the API group of the referenced subject.
                                        Defaults to "" for ServiceAccount subjects.
                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                      type: string
                                    kind:
                                      description: |-
                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: |-
                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: |-
                            ResourceDescription contains information about the resource being created or modified.
                            Requires at least one tag to be specified when under MatchResources.
                            Specifying ResourceDescription directly under match is being deprecated.
                            Please specify under "any" or "all" instead.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    generate:
                      description: Generation is used to create new resources.
                      properties:
                        apiVersion:
                          description: APIVersion specifies resource apiVersion.
                          type: string
                        clone:
                          description: |-
                            Clone specifies the source resource used to populate each generated resource.
                            At most one of Data or Clone can be specified. If neither are provided, the generated
                            resource will be created with default data only.
                          properties:
                            name:
                              description: Name specifies name of the resource.
                              type: string
                            namespace:
                              description: Namespace specifies source resource namespace.
                              type: string
                          type: object
                        cloneList:
                          description: CloneList specifies the list of source resource
                            used to populate each generated resource.
                          properties:
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            namespace:
                              description: Namespace specifies source resource namespace.
                              type: string
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels`.
                                wildcard characters are not supported.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        data:
                          description: |-
                            Data provides the resource declaration used to populate each generated resource.
                            At most one of Data or Clone must be specified. If neither are provided, the generated
                            resource will be created with default data only.
                          x-kubernetes-preserve-unknown-fields: true
                        generateExisting:
                          description: |-
                            GenerateExisting controls whether to trigger the rule in existing resources
                            If is set to "true" the rule will be triggered and applied to existing matched resources.
                          type: boolean
                        kind:
                          description: Kind specifies resource kind.
                          type: string
                        name:
                          description: Name specifies the resource name.
                          type: string
                        namespace:
                          description: Namespace specifies resource namespace.
                          type: string
                        orphanDownstreamOnPolicyDelete:
                          description: |-
                            OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
                            them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
                            See https://kyverno.io/docs/writing-policies/generate/#data-examples.
                            Defaults to "false" if not specified.
                          type: boolean
                        synchronize:
                          description: |-
                            Synchronize controls if generated resources should be kept in-sync with their source resource.
                            If Synchronize is set to "true" changes to generated resources will be overwritten with resource
                            data from Data or the resource specified in the Clone declaration.
                            Optional. Defaults to "false" if not specified.
                          type: boolean
                        uid:
                          description: UID specifies the resource uid.
                          type: string
                      type: object
                    imageExtractors:
                      additionalProperties:
                        items:
                          properties:
                            jmesPath:
                              description: |-
                                JMESPath is an optional JMESPath expression to apply to the image value.
                                This is useful when the extracted image begins with a prefix like 'docker://'.
                                The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
                                Note - Image digest mutation may not be used when applying a JMESPAth to an image.
                              type: string
                            key:
                              description: |-
                                Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
                                Note - this field MUST be unique.
                              type: string
                            name:
                              description: |-
                                Name is the entry the image will be available under 'images.<name>' in the context.
                                If this field is not defined, image entries will appear under 'images.custom'.
                              type: string
                            path:
                              description: |-
                                Path is the path to the object containing the image field in a custom resource.
                                It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
                                Wildcard keys are expanded in case of arrays or objects.
                              type: string
                            value:
                              description: |-
                                Value is an optional name of the field within 'path' that points to the image URI.
                                This is useful when a custom 'key' is also defined.
                              type: string
                          required:
                          - path
                          type: object
                        type: array
                      description: |-
                        ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
                        This config is only valid for verifyImages rules.
                      type: object
                    match:
                      description: |-
                        MatchResources defines when this policy rule should be applied. The match
                        criteria can include resource information (e.g. kind, name, namespace, labels)
                        and admission review request information like the user name or role.
                        At least one kind is required.
                      properties:
                        all:
                          description: All allows specifying resources which will
                            be ANDed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: |-
                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                      and values support the wildcard characters "*" (matches zero or many characters) and
                                      "?" (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: |-
                                      Name is the name of the resource. The name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                      NOTE: "Name" is being deprecated in favor of "Names".
                                    type: string
                                  names:
                                    description: |-
                                      Names are the names of the resources. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: |-
                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                      and `?` (matches one character).Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                      does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: |-
                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: |-
                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                      characters `*` (matches zero or many characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: |-
                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                    or a value for non-objects such as user and group names.
                                  properties:
                                    apiGroup:
                                      description: |-
                                        APIGroup holds the API group of the referenced subject.
                                        Defaults to "" for ServiceAccount subjects.
                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                      type: string
                                    kind:
                                      description: |-
                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: |-
                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        any:
                          description: Any allows specifying resources which will
                            be ORed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: |-
                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                      and values support the wildcard characters "*" (matches zero or many characters) and
                                      "?" (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: |-
                                      Name is the name of the resource. The name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                      NOTE: "Name" is being deprecated in favor of "Names".
                                    type: string
                                  names:
                                    description: |-
                                      Names are the names of the resources. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: |-
                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                      and `?` (matches one character).Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                      does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: |-
                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: |-
                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                      characters `*` (matches zero or many characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: |-
                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                    or a value for non-objects such as user and group names.
                                  properties:
                                    apiGroup:
                                      description: |-
                                        APIGroup holds the API group of the referenced subject.
                                        Defaults to "" for ServiceAccount subjects.
                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                      type: string
                                    kind:
                                      description: |-
                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: |-
                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: |-
                            ResourceDescription contains information about the resource being created or modified.
                            Requires at least one tag to be specified when under MatchResources.
                            Specifying ResourceDescription directly under match is being deprecated.
                            Please specify under "any" or "all" instead.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    mutate:
                      description: Mutation is used to modify matching resources.
                      properties:
                        foreach:
                          description: ForEach applies mutation rules to a list of
                            sub-elements by creating a context for each entry in the
                            list and looping over it to apply the specified logic.
                          items:
                            description: ForEachMutation applies mutation rules to
                              a list of sub-elements by creating a context for each
                              entry in the list and looping over it to apply the specified
                              logic.
                            properties:
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: |-
                                    ContextEntry adds variables and data sources to a rule Context. Either a
                                    ConfigMap reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: |-
                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context with the name for the context entry.
                                      properties:
                                        data:
                                          description: |-
                                            The data object specifies the POST data sent to the server.
                                            Only applicable when the method field is set to POST.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST). Defaults to GET.
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: |-
                                            Service is an API call to a JSON web service.
                                            This is used for non-Kubernetes API server calls.
                                            It's mutually exclusive with the URLPath field.
                                          properties:
                                            caBundle:
                                              description: |-
                                                CABundle is a PEM encoded CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: |-
                                                URL is the JSON web service URL. A typical form is
                                                `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: |-
                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                            The format required is the same format used by the `kubectl get --raw` command.
                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                            It's mutually exclusive with the Service field.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    globalReference:
                                      description: GlobalContextEntryReference is
                                        a reference to a cached global context entry.
                                      properties:
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        name:
                                          description: Name of the global context
                                            entry
                                          type: string
                                      type: object
                                    imageRegistry:
                                      description: |-
                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry.
                                              type: boolean
                                            providers:
                                              description: |-
                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                It can be of one of these values: default,google,azure,amazon,github.
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: |-
                                                Secrets specifies a list of secrets that are provided for credentials.
                                                Secrets must live in the Kyverno namespace.
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the ImageData struct returned as a result of processing
                                            the image reference.
                                          type: string
                                        reference:
                                          description: |-
                                            Reference is image reference to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: |-
                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                            expression evaluates to nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JMESPath Expression that can be used to
                                            transform the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              foreach:
                                description: Foreach declares a nested foreach iterator
                                x-kubernetes-preserve-unknown-fields: true
                              list:
                                description: |-
                                  List specifies a JMESPath expression that results in one or more elements
                                  to which the validation logic is applied.
                                type: string
                              order:
                                description: |-
                                  Order defines the iteration order on the list.
                                  Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
                                enum:
                                - Ascending
                                - Descending
                                type: string
                              patchStrategicMerge:
                                description: |-
                                  PatchStrategicMerge is a strategic merge patch used to modify resources.
                                  See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                  and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                                x-kubernetes-preserve-unknown-fields: true
                              patchesJson6902:
                                description: |-
                                  PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
                                  See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                                type: string
                              preconditions:
                                description: |-
                                  AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
                                  set of conditions. The declaration can contain nested `any` or `all` statements.
                                  See: https://kyverno.io/docs/writing-policies/preconditions/
                                properties:
                                  all:
                                    description: |-
                                      AllConditions enable variable-based conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A condition can reference object data
                                      using JMESPath notation.
                                      Here, all of the conditions need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: |-
                                            Operator is the conditional operation to perform. Valid operators are:
                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: |-
                                            Value is the conditional value, or set of values. The values can be fixed set
                                            or can be variables declared using JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                  any:
                                    description: |-
                                      AnyConditions enable variable-based conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A condition can reference object data
                                      using JMESPath notation.
                                      Here, at least one of the conditions need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: |-
                                            Operator is the conditional operation to perform. Valid operators are:
                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: |-
                                            Value is the conditional value, or set of values. The values can be fixed set
                                            or can be variables declared using JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                type: object
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                        mutateExistingOnPolicyUpdate:
                          description: MutateExistingOnPolicyUpdate controls if the
                            mutateExisting rule will be applied on policy events.
                          type: boolean
                        patchStrategicMerge:
                          description: |-
                            PatchStrategicMerge is a strategic merge patch used to modify resources.
                            See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                          x-kubernetes-preserve-unknown-fields: true
                        patchesJson6902:
                          description: |-
                            PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
                            See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                          type: string
                        targets:
                          description: Targets defines the target resources to be
                            mutated.
                          items:
                            description: TargetResourceSpec defines targets for mutating
                              existing resources.
                            properties:
                              apiVersion:
                                description: APIVersion specifies resource apiVersion.
                                type: string
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: |-
                                    ContextEntry adds variables and data sources to a rule Context. Either a
                                    ConfigMap reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: |-
                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context with the name for the context entry.
                                      properties:
                                        data:
                                          description: |-
                                            The data object specifies the POST data sent to the server.
                                            Only applicable when the method field is set to POST.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST). Defaults to GET.
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: |-
                                            Service is an API call to a JSON web service.
                                            This is used for non-Kubernetes API server calls.
                                            It's mutually exclusive with the URLPath field.
                                          properties:
                                            caBundle:
                                              description: |-
                                                CABundle is a PEM encoded CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: |-
                                                URL is the JSON web service URL. A typical form is
                                                `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: |-
                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                            The format required is the same format used by the `kubectl get --raw` command.
                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                            It's mutually exclusive with the Service field.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    globalReference:
                                      description: GlobalContextEntryReference is
                                        a reference to a cached global context entry.
                                      properties:
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        name:
                                          description: Name of the global context
                                            entry
                                          type: string
                                      type: object
                                    imageRegistry:
                                      description: |-
                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry.
                                              type: boolean
                                            providers:
                                              description: |-
                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                It can be of one of these values: default,google,azure,amazon,github.
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: |-
                                                Secrets specifies a list of secrets that are provided for credentials.
                                                Secrets must live in the Kyverno namespace.
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the ImageData struct returned as a result of processing
                                            the image reference.
                                          type: string
                                        reference:
                                          description: |-
                                            Reference is image reference to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: |-
                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                            expression evaluates to nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JMESPath Expression that can be used to
                                            transform the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              kind:
                                description: Kind specifies resource kind.
                                type: string
                              name:
                                description: Name specifies the resource name.
                                type: string
                              namespace:
                                description: Namespace specifies resource namespace.
                                type: string
                              preconditions:
                                description: |-
                                  Preconditions are used to determine if a policy rule should be applied by evaluating a
                                  set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
                                  of conditions (without `any` or `all` statements is supported for backwards compatibility but
                                  will be deprecated in the next major release.
                                  See: https://kyverno.io/docs/writing-policies/preconditions/
                                x-kubernetes-preserve-unknown-fields: true
                              uid:
                                description: UID specifies the resource uid.
                                type: string
                            type: object
                          type: array
                      type: object
                    name:
                      description: Name is a label to identify the rule, It must be
                        unique within the policy.
                      maxLength: 63
                      type: string
                    preconditions:
                      description: |-
                        Preconditions are used to determine if a policy rule should be applied by evaluating a
                        set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
                        of conditions (without `any` or `all` statements is supported for backwards compatibility but
                        will be deprecated in the next major release.
                        See: https://kyverno.io/docs/writing-policies/preconditions/
                      x-kubernetes-preserve-unknown-fields: true
                    skipBackgroundRequests:
                      default: true
                      description: |-
                        SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
                        The default value is set to "true", it must be set to "false" to apply
                        generate and mutateExisting rules to those requests.
                      type: boolean
                    validate:
                      description: Validation is used to validate matching resources.
                      properties:
                        anyPattern:
                          description: |-
                            AnyPattern specifies list of validation patterns. At least one of the patterns
                            must be satisfied for the validation rule to succeed.
                          x-kubernetes-preserve-unknown-fields: true
                        cel:
                          description: CEL allows validation checks using the Common
                            Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
                          properties:
                            auditAnnotations:
                              description: AuditAnnotations contains CEL expressions
                                which are used to produce audit annotations for the
                                audit event of the API request.
                              items:
                                description: AuditAnnotation describes how to produce
                                  an audit annotation for an API request.
                                properties:
                                  key:
                                    description: |-
                                      key specifies the audit annotation key. The audit annotation keys of
                                      a ValidatingAdmissionPolicy must be unique. The key must be a qualified
                                      name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.


                                      The key is combined with the resource name of the
                                      ValidatingAdmissionPolicy to construct an audit annotation key:
                                      "{ValidatingAdmissionPolicy name}/{key}".


                                      If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
                                      and the same audit annotation key, the annotation key will be identical.
                                      In this case, the first annotation written with the key will be included
                                      in the audit event and all subsequent annotations with the same key
                                      will be discarded.


                                      Required.
                                    type: string
                                  valueExpression:
                                    description: |-
                                      valueExpression represents the expression which is evaluated by CEL to
                                      produce an audit annotation value. The expression must evaluate to either
                                      a string or null value. If the expression evaluates to a string, the
                                      audit annotation is included with the string value. If the expression
                                      evaluates to null or empty string the audit annotation will be omitted.
                                      The valueExpression may be no longer than 5kb in length.
                                      If the result of the valueExpression is more than 10kb in length, it
                                      will be truncated to 10kb.


                                      If multiple ValidatingAdmissionPolicyBinding resources match an
                                      API request, then the valueExpression will be evaluated for
                                      each binding. All unique values produced by the valueExpressions
                                      will be joined together in a comma-separated list.


                                      Required.
                                    type: string
                                required:
                                - key
                                - valueExpression
                                type: object
                              type: array
                            expressions:
                              description: Expressions is a list of CELExpression
                                types.
                              items:
                                description: Validation specifies the CEL expression
                                  which is used to apply the validation.
                                properties:
                                  expression:
                                    description: "Expression represents the expression
                                      which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
                                      expressions have access to the contents of the
                                      API request/response, organized into CEL variables
                                      as well as some other useful variables:\n\n\n-
                                      'object' - The object from the incoming request.
                                      The value is null for DELETE requests.\n- 'oldObject'
                                      - The existing object. The value is null for
                                      CREATE requests.\n- 'request' - Attributes of
                                      the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
                                      'params' - Parameter resource referred to by
                                      the policy binding being evaluated. Only populated
                                      if the policy has a ParamKind.\n- 'namespaceObject'
                                      - The namespace object that the incoming object
                                      belongs to. The value is null for cluster-scoped
                                      resources.\n- 'variables' - Map of composited
                                      variables, from its name to its lazily evaluated
                                      value.\n  For example, a variable named 'foo'
                                      can be accessed as 'variables.foo'.\n- 'authorizer'
                                      - A CEL Authorizer. May be used to perform authorization
                                      checks for the principal (user or service account)
                                      of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
                                      'authorizer.requestResource' - A CEL ResourceCheck
                                      constructed from the 'authorizer' and configured
                                      with the\n  request resource.\n\n\nThe `apiVersion`,
                                      `kind`, `metadata.name` and `metadata.generateName`
                                      are always accessible from the root of the\nobject.
                                      No other metadata properties are accessible.\n\n\nOnly
                                      property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
                                      are accessible.\nAccessible property names are
                                      escaped according to the following rules when
                                      accessed in the expression:\n- '__' escapes
                                      to '__underscores__'\n- '.' escapes to '__dot__'\n-
                                      '-' escapes to '__dash__'\n- '/' escapes to
                                      '__slash__'\n- Property names that exactly match
                                      a CEL RESERVED keyword escape to '__{keyword}__'.
                                      The keywords are:\n\t  \"true\", \"false\",
                                      \"null\", \"in\", \"as\", \"break\", \"const\",
                                      \"continue\", \"else\", \"for\", \"function\",
                                      \"if\",\n\t  \"import\", \"let\", \"loop\",
                                      \"package\", \"namespace\", \"return\".\nExamples:\n
                                      \ - Expression accessing a property named \"namespace\":
                                      {\"Expression\": \"object.__namespace__ > 0\"}\n
                                      \ - Expression accessing a property named \"x-prop\":
                                      {\"Expression\": \"object.x__dash__prop > 0\"}\n
                                      \ - Expression accessing a property named \"redact__d\":
                                      {\"Expression\": \"object.redact__underscores__d
                                      > 0\"}\n\n\nEquality on arrays with list type
                                      of 'set' or 'map' ignores element order, i.e.
                                      [1, 2] == [2, 1].\nConcatenation on arrays with
                                      x-kubernetes-list-type use the semantics of
                                      the list type:\n  - 'set': `X + Y` performs
                                      a union where the array positions of all elements
                                      in `X` are preserved and\n    non-intersecting
                                      elements in `Y` are appended, retaining their
                                      partial order.\n  - 'map': `X + Y` performs
                                      a merge where the array positions of all keys
                                      in `X` are preserved but the values\n    are
                                      overwritten by values in `Y` when the key sets
                                      of `X` and `Y` intersect. Elements in `Y` with\n
                                      \   non-intersecting keys are appended, retaining
                                      their partial order.\nRequired."
                                    type: string
                                  message:
                                    description: |-
                                      Message represents the message displayed when validation fails. The message is required if the Expression contains
                                      line breaks. The message must not contain line breaks.
                                      If unset, the message is "failed rule: {Rule}".
                                      e.g. "must be a URL with the host matching spec.host"
                                      If the Expression contains line breaks. Message is required.
                                      The message must not contain line breaks.
                                      If unset, the message is "failed Expression: {Expression}".
                                    type: string
                                  messageExpression:
                                    description: |-
                                      messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
                                      Since messageExpression is used as a failure message, it must evaluate to a string.
                                      If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
                                      If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
                                      as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
                                      that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
                                      the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
                                      messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
                                      Example:
                                      "object.x must be less than max ("+string(params.max)+")"
                                    type: string
                                  reason:
                                    description: |-
                                      Reason represents a machine-readable description of why this validation failed.
                                      If this is the first validation in the list to fail, this reason, as well as the
                                      corresponding HTTP response code, are used in the
                                      HTTP response to the client.
                                      The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
                                      If not set, StatusReasonInvalid is used in the response to the client.
                                    type: string
                                required:
                                - expression
                                type: object
                              type: array
                            paramKind:
                              description: ParamKind is a tuple of Group Kind and
                                Version.
                              properties:
                                apiVersion:
                                  description: |-
                                    APIVersion is the API group version the resources belong to.
                                    In format of "group/version".
                                    Required.
                                  type: string
                                kind:
                                  description: |-
                                    Kind is the API kind the resources belong to.
                                    Required.
                                  type: string
                              type: object
                              x-kubernetes-map-type: atomic
                            paramRef:
                              description: ParamRef references a parameter resource.
                              properties:
                                name:
                                  description: |-
                                    `name` is the name of the resource being referenced.


                                    `name` and `selector` are mutually exclusive properties. If one is set,
                                    the other must be unset.
                                  type: string
                                namespace:
                                  description: |-
                                    namespace is the namespace of the referenced resource. Allows limiting
                                    the search for params to a specific namespace. Applies to both `name` and
                                    `selector` fields.


                                    A per-namespace parameter may be used by specifying a namespace-scoped
                                    `paramKind` in the policy and leaving this field empty.


                                    - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
                                    field results in a configuration error.


                                    - If `paramKind` is namespace-scoped, the namespace of the object being
                                    evaluated for admission will be used when this field is left unset. Take
                                    care that if this is left empty the binding must not match any cluster-scoped
                                    resources, which will result in an error.
                                  type: string
                                parameterNotFoundAction:
                                  description: |-
                                    `parameterNotFoundAction` controls the behavior of the binding when the resource
                                    exists, and name or selector is valid, but there are no parameters
                                    matched by the binding. If the value is set to `Allow`, then no
                                    matched parameters will be treated as successful validation by the binding.
                                    If set to `Deny`, then no matched parameters will be subject to the
                                    `failurePolicy` of the policy.


                                    Allowed values are `Allow` or `Deny`
                                    Default to `Deny`
                                  type: string
                                selector:
                                  description: |-
                                    selector can be used to match multiple param objects based on their labels.
                                    Supply selector: {} to match all resources of the ParamKind.


                                    If multiple params are found, they are all evaluated with the policy expressions
                                    and the results are ANDed together.


                                    One of `name` or `selector` must be set, but `name` and `selector` are
                                    mutually exclusive properties. If one is set, the other must be unset.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                              x-kubernetes-map-type: atomic
                            variables:
                              description: |-
                                Variables contain definitions of variables that can be used in composition of other expressions.
                                Each variable is defined as a named CEL expression.
                                The variables defined here will be available under `variables` in other expressions of the policy.
                              items:
                                description: Variable is the definition of a variable
                                  that is used for composition.
                                properties:
                                  expression:
                                    description: |-
                                      Expression is the expression that will be evaluated as the value of the variable.
                                      The CEL expression has access to the same identifiers as the CEL expressions in Validation.
                                    type: string
                                  name:
                                    description: |-
                                      Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
                                      The variable can be accessed in other expressions through `variables`
                                      For example, if name is "foo", the variable will be available as `variables.foo`
                                    type: string
                                required:
                                - expression
                                - name
                                type: object
                              type: array
                          type: object
                        deny:
                          description: Deny defines conditions used to pass or fail
                            a validation rule.
                          properties:
                            conditions:
                              description: |-
                                Multiple conditions can be declared under an `any` or `all` statement. A direct list
                                of conditions (without `any` or `all` statements) is also supported for backwards compatibility
                                but will be deprecated in the next major release.
                                See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
                              x-kubernetes-preserve-unknown-fields: true
                          type: object
                        foreach:
                          description: ForEach applies validate rules to a list of
                            sub-elements by creating a context for each entry in the
                            list and looping over it to apply the specified logic.
                          items:
                            description: ForEachValidation applies validate rules
                              to a list of sub-elements by creating a context for
                              each entry in the list and looping over it to apply
                              the specified logic.
                            properties:
                              anyPattern:
                                description: |-
                                  AnyPattern specifies list of validation patterns. At least one of the patterns
                                  must be satisfied for the validation rule to succeed.
                                x-kubernetes-preserve-unknown-fields: true
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: |-
                                    ContextEntry adds variables and data sources to a rule Context. Either a
                                    ConfigMap reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: |-
                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context with the name for the context entry.
                                      properties:
                                        data:
                                          description: |-
                                            The data object specifies the POST data sent to the server.
                                            Only applicable when the method field is set to POST.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST). Defaults to GET.
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: |-
                                            Service is an API call to a JSON web service.
                                            This is used for non-Kubernetes API server calls.
                                            It's mutually exclusive with the URLPath field.
                                          properties:
                                            caBundle:
                                              description: |-
                                                CABundle is a PEM encoded CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: |-
                                                URL is the JSON web service URL. A typical form is
                                                `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: |-
                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                            The format required is the same format used by the `kubectl get --raw` command.
                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                            It's mutually exclusive with the Service field.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    globalReference:
                                      description: GlobalContextEntryReference is
                                        a reference to a cached global context entry.
                                      properties:
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        name:
                                          description: Name of the global context
                                            entry
                                          type: string
                                      type: object
                                    imageRegistry:
                                      description: |-
                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry.
                                              type: boolean
                                            providers:
                                              description: |-
                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                It can be of one of these values: default,google,azure,amazon,github.
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: |-
                                                Secrets specifies a list of secrets that are provided for credentials.
                                                Secrets must live in the Kyverno namespace.
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the ImageData struct returned as a result of processing
                                            the image reference.
                                          type: string
                                        reference:
                                          description: |-
                                            Reference is image reference to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: |-
                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                            expression evaluates to nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JMESPath Expression that can be used to
                                            transform the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              deny:
                                description: Deny defines conditions used to pass
                                  or fail a validation rule.
                                properties:
                                  conditions:
                                    description: |-
                                      Multiple conditions can be declared under an `any` or `all` statement. A direct list
                                      of conditions (without `any` or `all` statements) is also supported for backwards compatibility
                                      but will be deprecated in the next major release.
                                      See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              elementScope:
                                description: |-
                                  ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
                                  When set to "false", "request.object" is used as the validation scope within the foreach
                                  block to allow referencing other elements in the subtree.
                                type: boolean
                              foreach:
                                description: Foreach declares a nested foreach iterator
                                x-kubernetes-preserve-unknown-fields: true
                              list:
                                description: |-
                                  List specifies a JMESPath expression that results in one or more elements
                                  to which the validation logic is applied.
                                type: string
                              pattern:
                                description: Pattern specifies an overlay-style pattern
                                  used to check resources.
                                x-kubernetes-preserve-unknown-fields: true
                              preconditions:
                                description: |-
                                  AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
                                  set of conditions. The declaration can contain nested `any` or `all` statements.
                                  See: https://kyverno.io/docs/writing-policies/preconditions/
                                properties:
                                  all:
                                    description: |-
                                      AllConditions enable variable-based conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A condition can reference object data
                                      using JMESPath notation.
                                      Here, all of the conditions need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: |-
                                            Operator is the conditional operation to perform. Valid operators are:
                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: |-
                                            Value is the conditional value, or set of values. The values can be fixed set
                                            or can be variables declared using JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                  any:
                                    description: |-
                                      AnyConditions enable variable-based conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A condition can reference object data
                                      using JMESPath notation.
                                      Here, at least one of the conditions need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: |-
                                            Operator is the conditional operation to perform. Valid operators are:
                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: |-
                                            Value is the conditional value, or set of values. The values can be fixed set
                                            or can be variables declared using JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                type: object
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                        manifests:
                          description: Manifest specifies conditions for manifest
                            verification
                          properties:
                            annotationDomain:
                              description: AnnotationDomain is custom domain of annotation
                                for message and signature. Default is "cosign.sigstore.dev".
                              type: string
                            attestors:
                              description: Attestors specified the required attestors
                                (i.e. authorities)
                              items:
                                properties:
                                  count:
                                    description: |-
                                      Count specifies the required number of entries that must match. If the count is null, all entries must match
                                      (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                      value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                    minimum: 1
                                    type: integer
                                  entries:
                                    description: |-
                                      Entries contains the available attestors. An attestor can be a static key,
                                      attributes for keyless verification, or a nested attestor declaration.
                                    items:
                                      properties:
                                        annotations:
                                          additionalProperties:
                                            type: string
                                          description: |-
                                            Annotations are used for image verification.
                                            Every specified key-value pair must exist and match in the verified payload.
                                            The payload may contain other key-value pairs.
                                          type: object
                                        attestor:
                                          description: Attestor is a nested set of
                                            Attestor used to specify a more complex
                                            set of match authorities.
                                          x-kubernetes-preserve-unknown-fields: true
                                        certificates:
                                          description: Certificates specifies one
                                            or more certificates.
                                          properties:
                                            cert:
                                              description: Cert is an optional PEM-encoded
                                                public certificate.
                                              type: string
                                            certChain:
                                              description: CertChain is an optional
                                                PEM encoded set of certificates used
                                                to verify.
                                              type: string
                                            ctlog:
                                              description: |-
                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                              properties:
                                                ignoreSCT:
                                                  description: |-
                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                    timestamp. Default is false. Set to true if this was opted out during signing.
                                                  type: boolean
                                                pubkey:
                                                  description: PubKey, if set, is
                                                    used to validate SCTs against
                                                    a custom source.
                                                  type: string
                                                tsaCertChain:
                                                  description: |-
                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                    may contain the leaf TSA certificate if not present in the timestamurce.
                                                  type: string
                                              type: object
                                            rekor:
                                              description: |-
                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                              properties:
                                                ignoreTlog:
                                                  description: IgnoreTlog skips transparency
                                                    log verification.
                                                  type: boolean
                                                pubkey:
                                                  description: |-
                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public Rekor log instance
                                                    https://rekor.sigstore.dev.
                                                  type: string
                                              type: object
                                          type: object
                                        keyless:
                                          description: |-
                                            Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                            See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                          properties:
                                            additionalExtensions:
                                              additionalProperties:
                                                type: string
                                              description: AdditionalExtensions are
                                                certificate-extensions used for keyless
                                                signing.
                                              type: object
                                            ctlog:
                                              description: |-
                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                              properties:
                                                ignoreSCT:
                                                  description: |-
                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                    timestamp. Default is false. Set to true if this was opted out during signing.
                                                  type: boolean
                                                pubkey:
                                                  description: PubKey, if set, is
                                                    used to validate SCTs against
                                                    a custom source.
                                                  type: string
                                                tsaCertChain:
                                                  description: |-
                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                    may contain the leaf TSA certificate if not present in the timestamurce.
                                                  type: string
                                              type: object
                                            issuer:
                                              description: Issuer is the certificate
                                                issuer used for keyless signing.
                                              type: string
                                            rekor:
                                              description: |-
                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                              properties:
                                                ignoreTlog:
                                                  description: IgnoreTlog skips transparency
                                                    log verification.
                                                  type: boolean
                                                pubkey:
                                                  description: |-
                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public Rekor log instance
                                                    https://rekor.sigstore.dev.
                                                  type: string
                                              type: object
                                            roots:
                                              description: |-
                                                Roots is an optional set of PEM encoded trusted root certificates.
                                                If not provided, the system roots are used.
                                              type: string
                                            subject:
                                              description: Subject is the verified
                                                identity used for keyless signing,
                                                for example the email address.
                                              type: string
                                          type: object
                                        keys:
                                          description: Keys specifies one or more
                                            public keys.
                                          properties:
                                            ctlog:
                                              description: |-
                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                              properties:
                                                ignoreSCT:
                                                  description: |-
                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                    timestamp. Default is false. Set to true if this was opted out during signing.
                                                  type: boolean
                                                pubkey:
                                                  description: PubKey, if set, is
                                                    used to validate SCTs against
                                                    a custom source.
                                                  type: string
                                                tsaCertChain:
                                                  description: |-
                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                    may contain the leaf TSA certificate if not present in the timestamurce.
                                                  type: string
                                              type: object
                                            kms:
                                              description: |-
                                                KMS provides the URI to the public key stored in a Key Management System. See:
                                                https://github.com/sigstore/cosign/blob/main/KMS.md
                                              type: string
                                            publicKeys:
                                              description: |-
                                                Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                                specified or can be a variable reference to a key specified in a ConfigMap (see
                                                https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                                elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                The named Secret must specify a key `cosign.pub` containing the public key used for
                                                verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                When multiple keys are specified each key is processed as a separate staticKey entry
                                                (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                              type: string
                                            rekor:
                                              description: |-
                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                              properties:
                                                ignoreTlog:
                                                  description: IgnoreTlog skips transparency
                                                    log verification.
                                                  type: boolean
                                                pubkey:
                                                  description: |-
                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public Rekor log instance
                                                    https://rekor.sigstore.dev.
                                                  type: string
                                              type: object
                                            secret:
                                              description: Reference to a Secret resource
                                                that contains a public key
                                              properties:
                                                name:
                                                  description: Name of the secret.
                                                    The provided secret must contain
                                                    a key named cosign.pub.
                                                  type: string
                                                namespace:
                                                  description: Namespace name where
                                                    the Secret exists.
                                                  type: string
                                              required:
                                              - name
                                              - namespace
                                              type: object
                                            signatureAlgorithm:
                                              default: sha256
                                              description: Specify signature algorithm
                                                for public keys. Supported values
                                                are sha224, sha256, sha384 and sha512.
                                              type: string
                                          type: object
                                        repository:
                                          description: |-
                                            Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                            If specified Repository will override other OCI image repository locations for this Attestor.
                                          type: string
                                      type: object
                                    type: array
                                type: object
                              type: array
                            dryRun:
                              description: DryRun configuration
                              properties:
                                enable:
                                  type: boolean
                                namespace:
                                  type: string
                              type: object
                            ignoreFields:
                              description: Fields which will be ignored while comparing
                                manifests.
                              items:
                                properties:
                                  fields:
                                    items:
                                      type: string
                                    type: array
                                  objects:
                                    items:
                                      properties:
                                        group:
                                          type: string
                                        kind:
                                          type: string
                                        name:
                                          type: string
                                        namespace:
                                          type: string
                                        version:
                                          type: string
                                      type: object
                                    type: array
                                type: object
                              type: array
                            repository:
                              description: |-
                                Repository is an optional alternate OCI repository to use for resource bundle reference.
                                The repository can be overridden per Attestor or Attestation.
                              type: string
                          type: object
                        message:
                          description: Message specifies a custom message to be displayed
                            on failure.
                          type: string
                        pattern:
                          description: Pattern specifies an overlay-style pattern
                            used to check resources.
                          x-kubernetes-preserve-unknown-fields: true
                        podSecurity:
                          description: |-
                            PodSecurity applies exemptions for Kubernetes Pod Security admission
                            by specifying exclusions for Pod Security Standards controls.
                          properties:
                            exclude:
                              description: Exclude specifies the Pod Security Standard
                                controls to be excluded.
                              items:
                                description: PodSecurityStandard specifies the Pod
                                  Security Standard controls to be excluded.
                                properties:
                                  controlName:
                                    description: |-
                                      ControlName specifies the name of the Pod Security Standard control.
                                      See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
                                    enum:
                                    - HostProcess
                                    - Host Namespaces
                                    - Privileged Containers
                                    - Capabilities
                                    - HostPath Volumes
                                    - Host Ports
                                    - AppArmor
                                    - SELinux
                                    - /proc Mount Type
                                    - Seccomp
                                    - Sysctls
                                    - Volume Types
                                    - Privilege Escalation
                                    - Running as Non-root
                                    - Running as Non-root user
                                    type: string
                                  images:
                                    description: |-
                                      Images selects matching containers and applies the container level PSS.
                                      Each image is the image name consisting of the registry address, repository, image, and tag.
                                      Empty list matches no containers, PSS checks are applied at the pod level only.
                                      Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                                    items:
                                      type: string
                                    type: array
                                  restrictedField:
                                    description: |-
                                      RestrictedField selects the field for the given Pod Security Standard control.
                                      When not set, all restricted fields for the control are selected.
                                    type: string
                                  values:
                                    description: Values defines the allowed values
                                      that can be excluded.
                                    items:
                                      type: string
                                    type: array
                                required:
                                - controlName
                                type: object
                              type: array
                            level:
                              description: |-
                                Level defines the Pod Security Standard level to be applied to workloads.
                                Allowed values are privileged, baseline, and restricted.
                              enum:
                              - privileged
                              - baseline
                              - restricted
                              type: string
                            version:
                              description: |-
                                Version defines the Pod Security Standard versions that Kubernetes supports.
                                Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
                              enum:
                              - v1.19
                              - v1.20
                              - v1.21
                              - v1.22
                              - v1.23
                              - v1.24
                              - v1.25
                              - v1.26
                              - v1.27
                              - v1.28
                              - v1.29
                              - latest
                              type: string
                          type: object
                        validationFailureAction:
                          description: |-
                            ValidationFailureAction defines if a validation policy rule violation should block
                            the admission review request (enforce), or allow (audit) the admission review request
                            and report an error in a policy report. Optional.
                            Allowed values are audit or enforce.
                          enum:
                          - audit
                          - enforce
                          - Audit
                          - Enforce
                          type: string
                        validationFailureActionOverrides:
                          description: |-
                            ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
                            namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
                          items:
                            properties:
                              action:
                                description: ValidationFailureAction defines the policy
                                  validation failure action
                                enum:
                                - audit
                                - enforce
                                - Audit
                                - Enforce
                                type: string
                              namespaceSelector:
                                description: |-
                                  A label selector is a label query over a set of resources. The result of matchLabels and
                                  matchExpressions are ANDed. An empty label selector matches all objects. A null
                                  label selector matches no objects.
                                properties:
                                  matchExpressions:
                                    description: matchExpressions is a list of label
                                      selector requirements. The requirements are
                                      ANDed.
                                    items:
                                      description: |-
                                        A label selector requirement is a selector that contains values, a key, and an operator that
                                        relates the key and values.
                                      properties:
                                        key:
                                          description: key is the label key that the
                                            selector applies to.
                                          type: string
                                        operator:
                                          description: |-
                                            operator represents a key's relationship to a set of values.
                                            Valid operators are In, NotIn, Exists and DoesNotExist.
                                          type: string
                                        values:
                                          description: |-
                                            values is an array of string values. If the operator is In or NotIn,
                                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                            the values array must be empty. This array is replaced during a strategic
                                            merge patch.
                                          items:
                                            type: string
                                          type: array
                                          x-kubernetes-list-type: atomic
                                      required:
                                      - key
                                      - operator
                                      type: object
                                    type: array
                                    x-kubernetes-list-type: atomic
                                  matchLabels:
                                    additionalProperties:
                                      type: string
                                    description: |-
                                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                      map is equivalent to an element of matchExpressions, whose key field is "key", the
                                      operator is "In", and the values array contains only "value". The requirements are ANDed.
                                    type: object
                                type: object
                                x-kubernetes-map-type: atomic
                              namespaces:
                                items:
                                  type: string
                                type: array
                            type: object
                          type: array
                      type: object
                    verifyImages:
                      description: VerifyImages is used to verify image signatures
                        and mutate them to add a digest
                      items:
                        description: |-
                          ImageVerification validates that images that match the specified pattern
                          are signed with the supplied public key. Once the image is verified it is
                          mutated to include the SHA digest retrieved during the registration.
                        properties:
                          additionalExtensions:
                            additionalProperties:
                              type: string
                            description: Deprecated.
                            type: object
                          annotations:
                            additionalProperties:
                              type: string
                            description: Deprecated. Use annotations per Attestor
                              instead.
                            type: object
                          attestations:
                            description: |-
                              Attestations are optional checks for signed in-toto Statements used to verify the image.
                              See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
                              OCI registry and decodes them into a list of Statement declarations.
                            items:
                              description: |-
                                Attestation are checks for signed in-toto Statements that are used to verify the image.
                                See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
                                OCI registry and decodes them into a list of Statements.
                              properties:
                                attestors:
                                  description: Attestors specify the required attestors
                                    (i.e. authorities).
                                  items:
                                    properties:
                                      count:
                                        description: |-
                                          Count specifies the required number of entries that must match. If the count is null, all entries must match
                                          (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                          value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                        minimum: 1
                                        type: integer
                                      entries:
                                        description: |-
                                          Entries contains the available attestors. An attestor can be a static key,
                                          attributes for keyless verification, or a nested attestor declaration.
                                        items:
                                          properties:
                                            annotations:
                                              additionalProperties:
                                                type: string
                                              description: |-
                                                Annotations are used for image verification.
                                                Every specified key-value pair must exist and match in the verified payload.
                                                The payload may contain other key-value pairs.
                                              type: object
                                            attestor:
                                              description: Attestor is a nested set
                                                of Attestor used to specify a more
                                                complex set of match authorities.
                                              x-kubernetes-preserve-unknown-fields: true
                                            certificates:
                                              description: Certificates specifies
                                                one or more certificates.
                                              properties:
                                                cert:
                                                  description: Cert is an optional
                                                    PEM-encoded public certificate.
                                                  type: string
                                                certChain:
                                                  description: CertChain is an optional
                                                    PEM encoded set of certificates
                                                    used to verify.
                                                  type: string
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                              type: object
                                            keyless:
                                              description: |-
                                                Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                                See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                              properties:
                                                additionalExtensions:
                                                  additionalProperties:
                                                    type: string
                                                  description: AdditionalExtensions
                                                    are certificate-extensions used
                                                    for keyless signing.
                                                  type: object
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                issuer:
                                                  description: Issuer is the certificate
                                                    issuer used for keyless signing.
                                                  type: string
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                                roots:
                                                  description: |-
                                                    Roots is an optional set of PEM encoded trusted root certificates.
                                                    If not provided, the system roots are used.
                                                  type: string
                                                subject:
                                                  description: Subject is the verified
                                                    identity used for keyless signing,
                                                    for example the email address.
                                                  type: string
                                              type: object
                                            keys:
                                              description: Keys specifies one or more
                                                public keys.
                                              properties:
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                kms:
                                                  description: |-
                                                    KMS provides the URI to the public key stored in a Key Management System. See:
                                                    https://github.com/sigstore/cosign/blob/main/KMS.md
                                                  type: string
                                                publicKeys:
                                                  description: |-
                                                    Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                                    specified or can be a variable reference to a key specified in a ConfigMap (see
                                                    https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                                    elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                    The named Secret must specify a key `cosign.pub` containing the public key used for
                                                    verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                    When multiple keys are specified each key is processed as a separate staticKey entry
                                                    (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                                  type: string
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                                secret:
                                                  description: Reference to a Secret
                                                    resource that contains a public
                                                    key
                                                  properties:
                                                    name:
                                                      description: Name of the secret.
                                                        The provided secret must contain
                                                        a key named cosign.pub.
                                                      type: string
                                                    namespace:
                                                      description: Namespace name
                                                        where the Secret exists.
                                                      type: string
                                                  required:
                                                  - name
                                                  - namespace
                                                  type: object
                                                signatureAlgorithm:
                                                  default: sha256
                                                  description: Specify signature algorithm
                                                    for public keys. Supported values
                                                    are sha224, sha256, sha384 and
                                                    sha512.
                                                  type: string
                                              type: object
                                            repository:
                                              description: |-
                                                Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                                If specified Repository will override other OCI image repository locations for this Attestor.
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                conditions:
                                  description: |-
                                    Conditions are used to verify attributes within a Predicate. If no Conditions are specified
                                    the attestation check is satisfied as long there are predicates that match the predicate type.
                                  items:
                                    description: |-
                                      AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
                                      AnyConditions get fulfilled when at least one of its sub-conditions passes.
                                      AllConditions get fulfilled only when all of its sub-conditions pass.
                                    properties:
                                      all:
                                        description: |-
                                          AllConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, all of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: |-
                                          AnyConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, at least one of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                predicateType:
                                  description: Deprecated in favour of 'Type', to
                                    be removed soon
                                  type: string
                                type:
                                  description: Type defines the type of attestation
                                    contained within the Statement.
                                  type: string
                              type: object
                            type: array
                          attestors:
                            description: Attestors specified the required attestors
                              (i.e. authorities)
                            items:
                              properties:
                                count:
                                  description: |-
                                    Count specifies the required number of entries that must match. If the count is null, all entries must match
                                    (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                    value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                  minimum: 1
                                  type: integer
                                entries:
                                  description: |-
                                    Entries contains the available attestors. An attestor can be a static key,
                                    attributes for keyless verification, or a nested attestor declaration.
                                  items:
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          Annotations are used for image verification.
                                          Every specified key-value pair must exist and match in the verified payload.
                                          The payload may contain other key-value pairs.
                                        type: object
                                      attestor:
                                        description: Attestor is a nested set of Attestor
                                          used to specify a more complex set of match
                                          authorities.
                                        x-kubernetes-preserve-unknown-fields: true
                                      certificates:
                                        description: Certificates specifies one or
                                          more certificates.
                                        properties:
                                          cert:
                                            description: Cert is an optional PEM-encoded
                                              public certificate.
                                            type: string
                                          certChain:
                                            description: CertChain is an optional
                                              PEM encoded set of certificates used
                                              to verify.
                                            type: string
                                          ctlog:
                                            description: |-
                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                            properties:
                                              ignoreSCT:
                                                description: |-
                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                  timestamp. Default is false. Set to true if this was opted out during signing.
                                                type: boolean
                                              pubkey:
                                                description: PubKey, if set, is used
                                                  to validate SCTs against a custom
                                                  source.
                                                type: string
                                              tsaCertChain:
                                                description: |-
                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                  may contain the leaf TSA certificate if not present in the timestamurce.
                                                type: string
                                            type: object
                                          rekor:
                                            description: |-
                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                            properties:
                                              ignoreTlog:
                                                description: IgnoreTlog skips transparency
                                                  log verification.
                                                type: boolean
                                              pubkey:
                                                description: |-
                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public Rekor log instance https://rekor.sigstore.dev.
                                                type: string
                                            type: object
                                        type: object
                                      keyless:
                                        description: |-
                                          Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                          See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                        properties:
                                          additionalExtensions:
                                            additionalProperties:
                                              type: string
                                            description: AdditionalExtensions are
                                              certificate-extensions used for keyless
                                              signing.
                                            type: object
                                          ctlog:
                                            description: |-
                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                            properties:
                                              ignoreSCT:
                                                description: |-
                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                  timestamp. Default is false. Set to true if this was opted out during signing.
                                                type: boolean
                                              pubkey:
                                                description: PubKey, if set, is used
                                                  to validate SCTs against a custom
                                                  source.
                                                type: string
                                              tsaCertChain:
                                                description: |-
                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                  may contain the leaf TSA certificate if not present in the timestamurce.
                                                type: string
                                            type: object
                                          issuer:
                                            description: Issuer is the certificate
                                              issuer used for keyless signing.
                                            type: string
                                          rekor:
                                            description: |-
                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                            properties:
                                              ignoreTlog:
                                                description: IgnoreTlog skips transparency
                                                  log verification.
                                                type: boolean
                                              pubkey:
                                                description: |-
                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public Rekor log instance https://rekor.sigstore.dev.
                                                type: string
                                            type: object
                                          roots:
                                            description: |-
                                              Roots is an optional set of PEM encoded trusted root certificates.
                                              If not provided, the system roots are used.
                                            type: string
                                          subject:
                                            description: Subject is the verified identity
                                              used for keyless signing, for example
                                              the email address.
                                            type: string
                                        type: object
                                      keys:
                                        description: Keys specifies one or more public
                                          keys.
                                        properties:
                                          ctlog:
                                            description: |-
                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                            properties:
                                              ignoreSCT:
                                                description: |-
                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                  timestamp. Default is false. Set to true if this was opted out during signing.
                                                type: boolean
                                              pubkey:
                                                description: PubKey, if set, is used
                                                  to validate SCTs against a custom
                                                  source.
                                                type: string
                                              tsaCertChain:
                                                description: |-
                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                  may contain the leaf TSA certificate if not present in the timestamurce.
                                                type: string
                                            type: object
                                          kms:
                                            description: |-
                                              KMS provides the URI to the public key stored in a Key Management System. See:
                                              https://github.com/sigstore/cosign/blob/main/KMS.md
                                            type: string
                                          publicKeys:
                                            description: |-
                                              Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                              specified or can be a variable reference to a key specified in a ConfigMap (see
                                              https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                              elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                              The named Secret must specify a key `cosign.pub` containing the public key used for
                                              verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                              When multiple keys are specified each key is processed as a separate staticKey entry
                                              (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                            type: string
                                          rekor:
                                            description: |-
                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                            properties:
                                              ignoreTlog:
                                                description: IgnoreTlog skips transparency
                                                  log verification.
                                                type: boolean
                                              pubkey:
                                                description: |-
                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public Rekor log instance https://rekor.sigstore.dev.
                                                type: string
                                            type: object
                                          secret:
                                            description: Reference to a Secret resource
                                              that contains a public key
                                            properties:
                                              name:
                                                description: Name of the secret. The
                                                  provided secret must contain a key
                                                  named cosign.pub.
                                                type: string
                                              namespace:
                                                description: Namespace name where
                                                  the Secret exists.
                                                type: string
                                            required:
                                            - name
                                            - namespace
                                            type: object
                                          signatureAlgorithm:
                                            default: sha256
                                            description: Specify signature algorithm
                                              for public keys. Supported values are
                                              sha224, sha256, sha384 and sha512.
                                            type: string
                                        type: object
                                      repository:
                                        description: |-
                                          Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                          If specified Repository will override other OCI image repository locations for this Attestor.
                                        type: string
                                    type: object
                                  type: array
                              type: object
                            type: array
                          cosignOCI11:
                            description: |-
                              CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
                              Defaults to false.
                            type: boolean
                          image:
                            description: Deprecated. Use ImageReferences instead.
                            type: string
                          imageReferences:
                            description: |-
                              ImageReferences is a list of matching image reference patterns. At least one pattern in the
                              list must match the image for the rule to apply. Each image reference consists of a registry
                              address (defaults to docker.io), repository, image, and tag (defaults to latest).
                              Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                            items:
                              type: string
                            type: array
                          imageRegistryCredentials:
                            description: ImageRegistryCredentials provides credentials
                              that will be used for authentication with registry.
                            properties:
                              allowInsecureRegistry:
                                description: AllowInsecureRegistry allows insecure
                                  access to a registry.
                                type: boolean
                              providers:
                                description: |-
                                  Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                  It can be of one of these values: default,google,azure,amazon,github.
                                items:
                                  description: ImageRegistryCredentialsProvidersType
                                    provides the list of credential providers required.
                                  enum:
                                  - default
                                  - amazon
                                  - azure
                                  - google
                                  - github
                                  type: string
                                type: array
                              secrets:
                                description: |-
                                  Secrets specifies a list of secrets that are provided for credentials.
                                  Secrets must live in the Kyverno namespace.
                                items:
                                  type: string
                                type: array
                            type: object
                          issuer:
                            description: Deprecated. Use KeylessAttestor instead.
                            type: string
                          key:
                            description: Deprecated. Use StaticKeyAttestor instead.
                            type: string
                          mutateDigest:
                            default: true
                            description: |-
                              MutateDigest enables replacement of image tags with digests.
                              Defaults to true.
                            type: boolean
                          repository:
                            description: |-
                              Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
                              If specified Repository will override the default OCI image repository configured for the installation.
                              The repository can also be overridden per Attestor or Attestation.
                            type: string
                          required:
                            default: true
                            description: Required validates that images are verified
                              i.e. have matched passed a signature or attestation
                              check.
                            type: boolean
                          roots:
                            description: Deprecated. Use KeylessAttestor instead.
                            type: string
                          skipImageReferences:
                            description: |-
                              SkipImageReferences is a list of matching image reference patterns that should be skipped.
                              At least one pattern in the list must match the image for the rule to be skipped. Each image reference
                              consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
                              Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                            items:
                              type: string
                            type: array
                          subject:
                            description: Deprecated. Use KeylessAttestor instead.
                            type: string
                          type:
                            description: |-
                              Type specifies the method of signature validation. The allowed options
                              are Cosign and Notary. By default Cosign is used if a type is not specified.
                            enum:
                            - Cosign
                            - Notary
                            type: string
                          useCache:
                            default: true
                            description: UseCache enables caching of image verify
                              responses for this rule.
                            type: boolean
                          verifyDigest:
                            default: true
                            description: VerifyDigest validates that images have a
                              digest.
                            type: boolean
                        type: object
                      type: array
                  required:
                  - name
                  type: object
                type: array
              schemaValidation:
                description: Deprecated.
                type: boolean
              useServerSideApply:
                description: |-
                  UseServerSideApply controls whether to use server-side apply for generate rules
                  If is set to "true" create & update for generate rules will use apply instead of create/update.
                  Defaults to "false" if not specified.
                type: boolean
              validationFailureAction:
                default: Audit
                description: Deprecated, use validationFailureAction under the validate
                  rule instead.
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: Deprecated, use validationFailureActionOverrides under
                  the validate rule instead.
                items:
                  properties:
                    action:
                      description: ValidationFailureAction defines the policy validation
                        failure action
                      enum:
                      - audit
                      - enforce
                      - Audit
                      - Enforce
                      type: string
                    namespaceSelector:
                      description: |-
                        A label selector is a label query over a set of resources. The result of matchLabels and
                        matchExpressions are ANDed. An empty label selector matches all objects. A null
                        label selector matches no objects.
                      properties:
                        matchExpressions:
                          description: matchExpressions is a list of label selector
                            requirements. The requirements are ANDed.
                          items:
                            description: |-
                              A label selector requirement is a selector that contains values, a key, and an operator that
                              relates the key and values.
                            properties:
                              key:
                                description: key is the label key that the selector
                                  applies to.
                                type: string
                              operator:
                                description: |-
                                  operator represents a key's relationship to a set of values.
                                  Valid operators are In, NotIn, Exists and DoesNotExist.
                                type: string
                              values:
                                description: |-
                                  values is an array of string values. If the operator is In or NotIn,
                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                  the values array must be empty. This array is replaced during a strategic
                                  merge patch.
                                items:
                                  type: string
                                type: array
                                x-kubernetes-list-type: atomic
                            required:
                            - key
                            - operator
                            type: object
                          type: array
                          x-kubernetes-list-type: atomic
                        matchLabels:
                          additionalProperties:
                            type: string
                          description: |-
                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                            map is equivalent to an element of matchExpressions, whose key field is "key", the
                            operator is "In", and the values array contains only "value". The requirements are ANDed.
                          type: object
                      type: object
                      x-kubernetes-map-type: atomic
                    namespaces:
                      items:
                        type: string
                      type: array
                  type: object
                type: array
              webhookConfiguration:
                description: WebhookConfiguration specifies the custom configuration
                  for Kubernetes admission webhookconfiguration.
                properties:
                  failurePolicy:
                    description: |-
                      FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
                      Rules within the same policy share the same failure behavior.
                      This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
                      Allowed values are Ignore or Fail. Defaults to Fail.
                    enum:
                    - Ignore
                    - Fail
                    type: string
                  matchConditions:
                    description: |-
                      MatchCondition configures admission webhook matchConditions.
                      Requires Kubernetes 1.27 or later.
                    items:
                      description: MatchCondition represents a condition which must
                        by fulfilled for a request to be sent to a webhook.
                      properties:
                        expression:
                          description: |-
                            Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
                            CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:


                            'object' - The object from the incoming request. The value is null for DELETE requests.
                            'oldObject' - The existing object. The value is null for CREATE requests.
                            'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
                            'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
                              See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                            'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
                              request resource.
                            Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/


                            Required.
                          type: string
                        name:
                          description: |-
                            Name is an identifier for this match condition, used for strategic merging of MatchConditions,
                            as well as providing an identifier for logging purposes. A good name should be descriptive of
                            the associated expression.
                            Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
                            must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
                            '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
                            optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')


                            Required.
                          type: string
                      required:
                      - expression
                      - name
                      type: object
                    type: array
                  timeoutSeconds:
                    description: |-
                      TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
                      After the configured time expires, the admission request may fail, or may simply ignore the policy results,
                      based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
                    format: int32
                    type: integer
                type: object
              webhookTimeoutSeconds:
                description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
                  instead.
                format: int32
                type: integer
            type: object
          status:
            description: Status contains policy runtime data.
            properties:
              autogen:
                description: AutogenStatus contains autogen status information.
                properties:
                  rules:
                    description: Rules is a list of Rule instances. It contains auto
                      generated rules added for pod controllers
                    items:
                      description: |-
                        Rule defines a validation, mutation, or generation control for matching resources.
                        Each rules contains a match declaration to select resources, and an optional exclude
                        declaration to specify which resources to exclude.
                      properties:
                        celPreconditions:
                          description: |-
                            CELPreconditions are used to determine if a policy rule should be applied by evaluating a
                            set of CEL conditions. It can only be used with the validate.cel subrule
                          items:
                            description: MatchCondition represents a condition which
                              must by fulfilled for a request to be sent to a webhook.
                            properties:
                              expression:
                                description: |-
                                  Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
                                  CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:


                                  'object' - The object from the incoming request. The value is null for DELETE requests.
                                  'oldObject' - The existing object. The value is null for CREATE requests.
                                  'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
                                  'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
                                    See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                                  'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
                                    request resource.
                                  Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/


                                  Required.
                                type: string
                              name:
                                description: |-
                                  Name is an identifier for this match condition, used for strategic merging of MatchConditions,
                                  as well as providing an identifier for logging purposes. A good name should be descriptive of
                                  the associated expression.
                                  Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
                                  must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
                                  '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
                                  optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')


                                  Required.
                                type: string
                            required:
                            - expression
                            - name
                            type: object
                          type: array
                        context:
                          description: Context defines variables and data sources
                            that can be used during rule execution.
                          items:
                            description: |-
                              ContextEntry adds variables and data sources to a rule Context. Either a
                              ConfigMap reference or a APILookup must be provided.
                            properties:
                              apiCall:
                                description: |-
                                  APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                  The data returned is stored in the context with the name for the context entry.
                                properties:
                                  data:
                                    description: |-
                                      The data object specifies the POST data sent to the server.
                                      Only applicable when the method field is set to POST.
                                    items:
                                      description: RequestData contains the HTTP POST
                                        data
                                      properties:
                                        key:
                                          description: Key is a unique identifier
                                            for the data value
                                          type: string
                                        value:
                                          description: Value is the data value
                                          x-kubernetes-preserve-unknown-fields: true
                                      required:
                                      - key
                                      - value
                                      type: object
                                    type: array
                                  jmesPath:
                                    description: |-
                                      JMESPath is an optional JSON Match Expression that can be used to
                                      transform the JSON response returned from the server. For example
                                      a JMESPath of "items | length(@)" applied to the API server response
                                      for the URLPath "/apis/apps/v1/deployments" will return the total count
                                      of deployments across all namespaces.
                                    type: string
                                  method:
                                    default: GET
                                    description: Method is the HTTP request type (GET
                                      or POST). Defaults to GET.
                                    enum:
                                    - GET
                                    - POST
                                    type: string
                                  service:
                                    description: |-
                                      Service is an API call to a JSON web service.
                                      This is used for non-Kubernetes API server calls.
                                      It's mutually exclusive with the URLPath field.
                                    properties:
                                      caBundle:
                                        description: |-
                                          CABundle is a PEM encoded CA bundle which will be used to validate
                                          the server certificate.
                                        type: string
                                      url:
                                        description: |-
                                          URL is the JSON web service URL. A typical form is
                                          `https://{service}.{namespace}:{port}/{path}`.
                                        type: string
                                    required:
                                    - url
                                    type: object
                                  urlPath:
                                    description: |-
                                      URLPath is the URL path to be used in the HTTP GET or POST request to the
                                      Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                      The format required is the same format used by the `kubectl get --raw` command.
                                      See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                      for details.
                                      It's mutually exclusive with the Service field.
                                    type: string
                                type: object
                              configMap:
                                description: ConfigMap is the ConfigMap reference.
                                properties:
                                  name:
                                    description: Name is the ConfigMap name.
                                    type: string
                                  namespace:
                                    description: Namespace is the ConfigMap namespace.
                                    type: string
                                required:
                                - name
                                type: object
                              globalReference:
                                description: GlobalContextEntryReference is a reference
                                  to a cached global context entry.
                                properties:
                                  jmesPath:
                                    description: |-
                                      JMESPath is an optional JSON Match Expression that can be used to
                                      transform the JSON response returned from the server. For example
                                      a JMESPath of "items | length(@)" applied to the API server response
                                      for the URLPath "/apis/apps/v1/deployments" will return the total count
                                      of deployments across all namespaces.
                                    type: string
                                  name:
                                    description: Name of the global context entry
                                    type: string
                                type: object
                              imageRegistry:
                                description: |-
                                  ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                  details.
                                properties:
                                  imageRegistryCredentials:
                                    description: ImageRegistryCredentials provides
                                      credentials that will be used for authentication
                                      with registry
                                    properties:
                                      allowInsecureRegistry:
                                        description: AllowInsecureRegistry allows
                                          insecure access to a registry.
                                        type: boolean
                                      providers:
                                        description: |-
                                          Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                          It can be of one of these values: default,google,azure,amazon,github.
                                        items:
                                          description: ImageRegistryCredentialsProvidersType
                                            provides the list of credential providers
                                            required.
                                          enum:
                                          - default
                                          - amazon
                                          - azure
                                          - google
                                          - github
                                          type: string
                                        type: array
                                      secrets:
                                        description: |-
                                          Secrets specifies a list of secrets that are provided for credentials.
                                          Secrets must live in the Kyverno namespace.
                                        items:
                                          type: string
                                        type: array
                                    type: object
                                  jmesPath:
                                    description: |-
                                      JMESPath is an optional JSON Match Expression that can be used to
                                      transform the ImageData struct returned as a result of processing
                                      the image reference.
                                    type: string
                                  reference:
                                    description: |-
                                      Reference is image reference to a container image in the registry.
                                      Example: ghcr.io/kyverno/kyverno:latest
                                    type: string
                                required:
                                - reference
                                type: object
                              name:
                                description: Name is the variable name.
                                type: string
                              variable:
                                description: Variable defines an arbitrary JMESPath
                                  context variable that can be defined inline.
                                properties:
                                  default:
                                    description: |-
                                      Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                      expression evaluates to nil
                                    x-kubernetes-preserve-unknown-fields: true
                                  jmesPath:
                                    description: |-
                                      JMESPath is an optional JMESPath Expression that can be used to
                                      transform the variable.
                                    type: string
                                  value:
                                    description: Value is any arbitrary JSON object
                                      representable in YAML or JSON form.
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                            type: object
                          type: array
                        exclude:
                          description: |-
                            ExcludeResources defines when this policy rule should not be applied. The exclude
                            criteria can include resource information (e.g. kind, name, namespace, labels)
                            and admission review request information like the name or role.
                          properties:
                            all:
                              description: All allows specifying resources which will
                                be ANDed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                          and values support the wildcard characters "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: |-
                                          Name is the name of the resource. The name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                          NOTE: "Name" is being deprecated in favor of "Names".
                                        type: string
                                      names:
                                        description: |-
                                          Names are the names of the resources. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: |-
                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                          and `?` (matches one character).Wildcards allows writing label selectors like
                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                          does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: |-
                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: |-
                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                          characters `*` (matches zero or many characters) and `?` (matches one character).
                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: |-
                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                        or a value for non-objects such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: |-
                                            APIGroup holds the API group of the referenced subject.
                                            Defaults to "" for ServiceAccount subjects.
                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                          type: string
                                        kind:
                                          description: |-
                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: |-
                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                            the Authorizer should report an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            any:
                              description: Any allows specifying resources which will
                                be ORed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                          and values support the wildcard characters "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: |-
                                          Name is the name of the resource. The name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                          NOTE: "Name" is being deprecated in favor of "Names".
                                        type: string
                                      names:
                                        description: |-
                                          Names are the names of the resources. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: |-
                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                          and `?` (matches one character).Wildcards allows writing label selectors like
                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                          does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: |-
                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: |-
                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                          characters `*` (matches zero or many characters) and `?` (matches one character).
                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: |-
                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                        or a value for non-objects such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: |-
                                            APIGroup holds the API group of the referenced subject.
                                            Defaults to "" for ServiceAccount subjects.
                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                          type: string
                                        kind:
                                          description: |-
                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: |-
                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                            the Authorizer should report an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            clusterRoles:
                              description: ClusterRoles is the list of cluster-wide
                                role names for the user.
                              items:
                                type: string
                              type: array
                            resources:
                              description: |-
                                ResourceDescription contains information about the resource being created or modified.
                                Requires at least one tag to be specified when under MatchResources.
                                Specifying ResourceDescription directly under match is being deprecated.
                                Please specify under "any" or "all" instead.
                              properties:
                                annotations:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                    and values support the wildcard characters "*" (matches zero or many characters) and
                                    "?" (matches at least one character).
                                  type: object
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                name:
                                  description: |-
                                    Name is the name of the resource. The name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                    NOTE: "Name" is being deprecated in favor of "Names".
                                  type: string
                                names:
                                  description: |-
                                    Names are the names of the resources. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                  items:
                                    type: string
                                  type: array
                                namespaceSelector:
                                  description: |-
                                    NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                    in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                    and `?` (matches one character).Wildcards allows writing label selectors like
                                    ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                    does not match an empty label set.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                                namespaces:
                                  description: |-
                                    Namespaces is a list of namespaces names. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                  items:
                                    type: string
                                  type: array
                                operations:
                                  description: Operations can contain values ["CREATE,
                                    "UPDATE", "CONNECT", "DELETE"], which are used
                                    to match a specific action.
                                  items:
                                    description: AdmissionOperation can have one of
                                      the values CREATE, UPDATE, CONNECT, DELETE,
                                      which are used to match a specific action.
                                    enum:
                                    - CREATE
                                    - CONNECT
                                    - UPDATE
                                    - DELETE
                                    type: string
                                  type: array
                                selector:
                                  description: |-
                                    Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                    characters `*` (matches zero or many characters) and `?` (matches one character).
                                    Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                    using ["*" : "*"] matches any key and value but does not match an empty label set.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            roles:
                              description: Roles is the list of namespaced role names
                                for the user.
                              items:
                                type: string
                              type: array
                            subjects:
                              description: Subjects is the list of subject names like
                                users, user groups, and service accounts.
                              items:
                                description: |-
                                  Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                  or a value for non-objects such as user and group names.
                                properties:
                                  apiGroup:
                                    description: |-
                                      APIGroup holds the API group of the referenced subject.
                                      Defaults to "" for ServiceAccount subjects.
                                      Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                    type: string
                                  kind:
                                    description: |-
                                      Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                      If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                    type: string
                                  name:
                                    description: Name of the object being referenced.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                      the Authorizer should report an error.
                                    type: string
                                required:
                                - kind
                                - name
                                type: object
                                x-kubernetes-map-type: atomic
                              type: array
                          type: object
                        generate:
                          description: Generation is used to create new resources.
                          properties:
                            apiVersion:
                              description: APIVersion specifies resource apiVersion.
                              type: string
                            clone:
                              description: |-
                                Clone specifies the source resource used to populate each generated resource.
                                At most one of Data or Clone can be specified. If neither are provided, the generated
                                resource will be created with default data only.
                              properties:
                                name:
                                  description: Name specifies name of the resource.
                                  type: string
                                namespace:
                                  description: Namespace specifies source resource
                                    namespace.
                                  type: string
                              type: object
                            cloneList:
                              description: CloneList specifies the list of source
                                resource used to populate each generated resource.
                              properties:
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                namespace:
                                  description: Namespace specifies source resource
                                    namespace.
                                  type: string
                                selector:
                                  description: |-
                                    Selector is a label selector. Label keys and values in `matchLabels`.
                                    wildcard characters are not supported.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            data:
                              description: |-
                                Data provides the resource declaration used to populate each generated resource.
                                At most one of Data or Clone must be specified. If neither are provided, the generated
                                resource will be created with default data only.
                              x-kubernetes-preserve-unknown-fields: true
                            generateExisting:
                              description: |-
                                GenerateExisting controls whether to trigger the rule in existing resources
                                If is set to "true" the rule will be triggered and applied to existing matched resources.
                              type: boolean
                            kind:
                              description: Kind specifies resource kind.
                              type: string
                            name:
                              description: Name specifies the resource name.
                              type: string
                            namespace:
                              description: Namespace specifies resource namespace.
                              type: string
                            orphanDownstreamOnPolicyDelete:
                              description: |-
                                OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
                                them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
                                See https://kyverno.io/docs/writing-policies/generate/#data-examples.
                                Defaults to "false" if not specified.
                              type: boolean
                            synchronize:
                              description: |-
                                Synchronize controls if generated resources should be kept in-sync with their source resource.
                                If Synchronize is set to "true" changes to generated resources will be overwritten with resource
                                data from Data or the resource specified in the Clone declaration.
                                Optional. Defaults to "false" if not specified.
                              type: boolean
                            uid:
                              description: UID specifies the resource uid.
                              type: string
                          type: object
                        imageExtractors:
                          additionalProperties:
                            items:
                              properties:
                                jmesPath:
                                  description: |-
                                    JMESPath is an optional JMESPath expression to apply to the image value.
                                    This is useful when the extracted image begins with a prefix like 'docker://'.
                                    The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
                                    Note - Image digest mutation may not be used when applying a JMESPAth to an image.
                                  type: string
                                key:
                                  description: |-
                                    Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
                                    Note - this field MUST be unique.
                                  type: string
                                name:
                                  description: |-
                                    Name is the entry the image will be available under 'images.<name>' in the context.
                                    If this field is not defined, image entries will appear under 'images.custom'.
                                  type: string
                                path:
                                  description: |-
                                    Path is the path to the object containing the image field in a custom resource.
                                    It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
                                    Wildcard keys are expanded in case of arrays or objects.
                                  type: string
                                value:
                                  description: |-
                                    Value is an optional name of the field within 'path' that points to the image URI.
                                    This is useful when a custom 'key' is also defined.
                                  type: string
                              required:
                              - path
                              type: object
                            type: array
                          description: |-
                            ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
                            This config is only valid for verifyImages rules.
                          type: object
                        match:
                          description: |-
                            MatchResources defines when this policy rule should be applied. The match
                            criteria can include resource information (e.g. kind, name, namespace, labels)
                            and admission review request information like the user name or role.
                            At least one kind is required.
                          properties:
                            all:
                              description: All allows specifying resources which will
                                be ANDed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                          and values support the wildcard characters "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: |-
                                          Name is the name of the resource. The name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                          NOTE: "Name" is being deprecated in favor of "Names".
                                        type: string
                                      names:
                                        description: |-
                                          Names are the names of the resources. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: |-
                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                          and `?` (matches one character).Wildcards allows writing label selectors like
                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                          does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: |-
                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: |-
                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                          characters `*` (matches zero or many characters) and `?` (matches one character).
                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: |-
                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                        or a value for non-objects such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: |-
                                            APIGroup holds the API group of the referenced subject.
                                            Defaults to "" for ServiceAccount subjects.
                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                          type: string
                                        kind:
                                          description: |-
                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: |-
                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                            the Authorizer should report an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            any:
                              description: Any allows specifying resources which will
                                be ORed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                          and values support the wildcard characters "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: |-
                                          Name is the name of the resource. The name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                          NOTE: "Name" is being deprecated in favor of "Names".
                                        type: string
                                      names:
                                        description: |-
                                          Names are the names of the resources. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: |-
                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                          and `?` (matches one character).Wildcards allows writing label selectors like
                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                          does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: |-
                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: |-
                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                          characters `*` (matches zero or many characters) and `?` (matches one character).
                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: |-
                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                        or a value for non-objects such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: |-
                                            APIGroup holds the API group of the referenced subject.
                                            Defaults to "" for ServiceAccount subjects.
                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                          type: string
                                        kind:
                                          description: |-
                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: |-
                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                            the Authorizer should report an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            clusterRoles:
                              description: ClusterRoles is the list of cluster-wide
                                role names for the user.
                              items:
                                type: string
                              type: array
                            resources:
                              description: |-
                                ResourceDescription contains information about the resource being created or modified.
                                Requires at least one tag to be specified when under MatchResources.
                                Specifying ResourceDescription directly under match is being deprecated.
                                Please specify under "any" or "all" instead.
                              properties:
                                annotations:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                    and values support the wildcard characters "*" (matches zero or many characters) and
                                    "?" (matches at least one character).
                                  type: object
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                name:
                                  description: |-
                                    Name is the name of the resource. The name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                    NOTE: "Name" is being deprecated in favor of "Names".
                                  type: string
                                names:
                                  description: |-
                                    Names are the names of the resources. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                  items:
                                    type: string
                                  type: array
                                namespaceSelector:
                                  description: |-
                                    NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                    in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                    and `?` (matches one character).Wildcards allows writing label selectors like
                                    ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                    does not match an empty label set.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                                namespaces:
                                  description: |-
                                    Namespaces is a list of namespaces names. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                  items:
                                    type: string
                                  type: array
                                operations:
                                  description: Operations can contain values ["CREATE,
                                    "UPDATE", "CONNECT", "DELETE"], which are used
                                    to match a specific action.
                                  items:
                                    description: AdmissionOperation can have one of
                                      the values CREATE, UPDATE, CONNECT, DELETE,
                                      which are used to match a specific action.
                                    enum:
                                    - CREATE
                                    - CONNECT
                                    - UPDATE
                                    - DELETE
                                    type: string
                                  type: array
                                selector:
                                  description: |-
                                    Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                    characters `*` (matches zero or many characters) and `?` (matches one character).
                                    Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                    using ["*" : "*"] matches any key and value but does not match an empty label set.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            roles:
                              description: Roles is the list of namespaced role names
                                for the user.
                              items:
                                type: string
                              type: array
                            subjects:
                              description: Subjects is the list of subject names like
                                users, user groups, and service accounts.
                              items:
                                description: |-
                                  Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                  or a value for non-objects such as user and group names.
                                properties:
                                  apiGroup:
                                    description: |-
                                      APIGroup holds the API group of the referenced subject.
                                      Defaults to "" for ServiceAccount subjects.
                                      Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                    type: string
                                  kind:
                                    description: |-
                                      Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                      If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                    type: string
                                  name:
                                    description: Name of the object being referenced.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                      the Authorizer should report an error.
                                    type: string
                                required:
                                - kind
                                - name
                                type: object
                                x-kubernetes-map-type: atomic
                              type: array
                          type: object
                        mutate:
                          description: Mutation is used to modify matching resources.
                          properties:
                            foreach:
                              description: ForEach applies mutation rules to a list
                                of sub-elements by creating a context for each entry
                                in the list and looping over it to apply the specified
                                logic.
                              items:
                                description: ForEachMutation applies mutation rules
                                  to a list of sub-elements by creating a context
                                  for each entry in the list and looping over it to
                                  apply the specified logic.
                                properties:
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: |-
                                        ContextEntry adds variables and data sources to a rule Context. Either a
                                        ConfigMap reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: |-
                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                            The data returned is stored in the context with the name for the context entry.
                                          properties:
                                            data:
                                              description: |-
                                                The data object specifies the POST data sent to the server.
                                                Only applicable when the method field is set to POST.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST). Defaults to GET.
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: |-
                                                Service is an API call to a JSON web service.
                                                This is used for non-Kubernetes API server calls.
                                                It's mutually exclusive with the URLPath field.
                                              properties:
                                                caBundle:
                                                  description: |-
                                                    CABundle is a PEM encoded CA bundle which will be used to validate
                                                    the server certificate.
                                                  type: string
                                                url:
                                                  description: |-
                                                    URL is the JSON web service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: |-
                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                                It's mutually exclusive with the Service field.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        globalReference:
                                          description: GlobalContextEntryReference
                                            is a reference to a cached global context
                                            entry.
                                          properties:
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            name:
                                              description: Name of the global context
                                                entry
                                              type: string
                                          type: object
                                        imageRegistry:
                                          description: |-
                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                            details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry.
                                                  type: boolean
                                                providers:
                                                  description: |-
                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                    It can be of one of these values: default,google,azure,amazon,github.
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: |-
                                                    Secrets specifies a list of secrets that are provided for credentials.
                                                    Secrets must live in the Kyverno namespace.
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the ImageData struct returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: |-
                                                Reference is image reference to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: |-
                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                                expression evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JMESPath Expression that can be used to
                                                transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  foreach:
                                    description: Foreach declares a nested foreach
                                      iterator
                                    x-kubernetes-preserve-unknown-fields: true
                                  list:
                                    description: |-
                                      List specifies a JMESPath expression that results in one or more elements
                                      to which the validation logic is applied.
                                    type: string
                                  order:
                                    description: |-
                                      Order defines the iteration order on the list.
                                      Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
                                    enum:
                                    - Ascending
                                    - Descending
                                    type: string
                                  patchStrategicMerge:
                                    description: |-
                                      PatchStrategicMerge is a strategic merge patch used to modify resources.
                                      See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                                    x-kubernetes-preserve-unknown-fields: true
                                  patchesJson6902:
                                    description: |-
                                      PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
                                      See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                                    type: string
                                  preconditions:
                                    description: |-
                                      AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
                                      set of conditions. The declaration can contain nested `any` or `all` statements.
                                      See: https://kyverno.io/docs/writing-policies/preconditions/
                                    properties:
                                      all:
                                        description: |-
                                          AllConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, all of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: |-
                                          AnyConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, at least one of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              type: array
                            mutateExistingOnPolicyUpdate:
                              description: MutateExistingOnPolicyUpdate controls if
                                the mutateExisting rule will be applied on policy
                                events.
                              type: boolean
                            patchStrategicMerge:
                              description: |-
                                PatchStrategicMerge is a strategic merge patch used to modify resources.
                                See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                              x-kubernetes-preserve-unknown-fields: true
                            patchesJson6902:
                              description: |-
                                PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
                                See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                              type: string
                            targets:
                              description: Targets defines the target resources to
                                be mutated.
                              items:
                                description: TargetResourceSpec defines targets for
                                  mutating existing resources.
                                properties:
                                  apiVersion:
                                    description: APIVersion specifies resource apiVersion.
                                    type: string
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: |-
                                        ContextEntry adds variables and data sources to a rule Context. Either a
                                        ConfigMap reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: |-
                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                            The data returned is stored in the context with the name for the context entry.
                                          properties:
                                            data:
                                              description: |-
                                                The data object specifies the POST data sent to the server.
                                                Only applicable when the method field is set to POST.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST). Defaults to GET.
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: |-
                                                Service is an API call to a JSON web service.
                                                This is used for non-Kubernetes API server calls.
                                                It's mutually exclusive with the URLPath field.
                                              properties:
                                                caBundle:
                                                  description: |-
                                                    CABundle is a PEM encoded CA bundle which will be used to validate
                                                    the server certificate.
                                                  type: string
                                                url:
                                                  description: |-
                                                    URL is the JSON web service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: |-
                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                                It's mutually exclusive with the Service field.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        globalReference:
                                          description: GlobalContextEntryReference
                                            is a reference to a cached global context
                                            entry.
                                          properties:
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            name:
                                              description: Name of the global context
                                                entry
                                              type: string
                                          type: object
                                        imageRegistry:
                                          description: |-
                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                            details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry.
                                                  type: boolean
                                                providers:
                                                  description: |-
                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                    It can be of one of these values: default,google,azure,amazon,github.
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: |-
                                                    Secrets specifies a list of secrets that are provided for credentials.
                                                    Secrets must live in the Kyverno namespace.
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the ImageData struct returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: |-
                                                Reference is image reference to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: |-
                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                                expression evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JMESPath Expression that can be used to
                                                transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  kind:
                                    description: Kind specifies resource kind.
                                    type: string
                                  name:
                                    description: Name specifies the resource name.
                                    type: string
                                  namespace:
                                    description: Namespace specifies resource namespace.
                                    type: string
                                  preconditions:
                                    description: |-
                                      Preconditions are used to determine if a policy rule should be applied by evaluating a
                                      set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
                                      of conditions (without `any` or `all` statements is supported for backwards compatibility but
                                      will be deprecated in the next major release.
                                      See: https://kyverno.io/docs/writing-policies/preconditions/
                                    x-kubernetes-preserve-unknown-fields: true
                                  uid:
                                    description: UID specifies the resource uid.
                                    type: string
                                type: object
                              type: array
                          type: object
                        name:
                          description: Name is a label to identify the rule, It must
                            be unique within the policy.
                          maxLength: 63
                          type: string
                        preconditions:
                          description: |-
                            Preconditions are used to determine if a policy rule should be applied by evaluating a
                            set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
                            of conditions (without `any` or `all` statements is supported for backwards compatibility but
                            will be deprecated in the next major release.
                            See: https://kyverno.io/docs/writing-policies/preconditions/
                          x-kubernetes-preserve-unknown-fields: true
                        skipBackgroundRequests:
                          default: true
                          description: |-
                            SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
                            The default value is set to "true", it must be set to "false" to apply
                            generate and mutateExisting rules to those requests.
                          type: boolean
                        validate:
                          description: Validation is used to validate matching resources.
                          properties:
                            anyPattern:
                              description: |-
                                AnyPattern specifies list of validation patterns. At least one of the patterns
                                must be satisfied for the validation rule to succeed.
                              x-kubernetes-preserve-unknown-fields: true
                            cel:
                              description: CEL allows validation checks using the
                                Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
                              properties:
                                auditAnnotations:
                                  description: AuditAnnotations contains CEL expressions
                                    which are used to produce audit annotations for
                                    the audit event of the API request.
                                  items:
                                    description: AuditAnnotation describes how to
                                      produce an audit annotation for an API request.
                                    properties:
                                      key:
                                        description: |-
                                          key specifies the audit annotation key. The audit annotation keys of
                                          a ValidatingAdmissionPolicy must be unique. The key must be a qualified
                                          name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.


                                          The key is combined with the resource name of the
                                          ValidatingAdmissionPolicy to construct an audit annotation key:
                                          "{ValidatingAdmissionPolicy name}/{key}".


                                          If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
                                          and the same audit annotation key, the annotation key will be identical.
                                          In this case, the first annotation written with the key will be included
                                          in the audit event and all subsequent annotations with the same key
                                          will be discarded.


                                          Required.
                                        type: string
                                      valueExpression:
                                        description: |-
                                          valueExpression represents the expression which is evaluated by CEL to
                                          produce an audit annotation value. The expression must evaluate to either
                                          a string or null value. If the expression evaluates to a string, the
                                          audit annotation is included with the string value. If the expression
                                          evaluates to null or empty string the audit annotation will be omitted.
                                          The valueExpression may be no longer than 5kb in length.
                                          If the result of the valueExpression is more than 10kb in length, it
                                          will be truncated to 10kb.


                                          If multiple ValidatingAdmissionPolicyBinding resources match an
                                          API request, then the valueExpression will be evaluated for
                                          each binding. All unique values produced by the valueExpressions
                                          will be joined together in a comma-separated list.


                                          Required.
                                        type: string
                                    required:
                                    - key
                                    - valueExpression
                                    type: object
                                  type: array
                                expressions:
                                  description: Expressions is a list of CELExpression
                                    types.
                                  items:
                                    description: Validation specifies the CEL expression
                                      which is used to apply the validation.
                                    properties:
                                      expression:
                                        description: "Expression represents the expression
                                          which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
                                          expressions have access to the contents
                                          of the API request/response, organized into
                                          CEL variables as well as some other useful
                                          variables:\n\n\n- 'object' - The object
                                          from the incoming request. The value is
                                          null for DELETE requests.\n- 'oldObject'
                                          - The existing object. The value is null
                                          for CREATE requests.\n- 'request' - Attributes
                                          of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
                                          'params' - Parameter resource referred to
                                          by the policy binding being evaluated. Only
                                          populated if the policy has a ParamKind.\n-
                                          'namespaceObject' - The namespace object
                                          that the incoming object belongs to. The
                                          value is null for cluster-scoped resources.\n-
                                          'variables' - Map of composited variables,
                                          from its name to its lazily evaluated value.\n
                                          \ For example, a variable named 'foo' can
                                          be accessed as 'variables.foo'.\n- 'authorizer'
                                          - A CEL Authorizer. May be used to perform
                                          authorization checks for the principal (user
                                          or service account) of the request.\n  See
                                          https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
                                          'authorizer.requestResource' - A CEL ResourceCheck
                                          constructed from the 'authorizer' and configured
                                          with the\n  request resource.\n\n\nThe `apiVersion`,
                                          `kind`, `metadata.name` and `metadata.generateName`
                                          are always accessible from the root of the\nobject.
                                          No other metadata properties are accessible.\n\n\nOnly
                                          property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
                                          are accessible.\nAccessible property names
                                          are escaped according to the following rules
                                          when accessed in the expression:\n- '__'
                                          escapes to '__underscores__'\n- '.' escapes
                                          to '__dot__'\n- '-' escapes to '__dash__'\n-
                                          '/' escapes to '__slash__'\n- Property names
                                          that exactly match a CEL RESERVED keyword
                                          escape to '__{keyword}__'. The keywords
                                          are:\n\t  \"true\", \"false\", \"null\",
                                          \"in\", \"as\", \"break\", \"const\", \"continue\",
                                          \"else\", \"for\", \"function\", \"if\",\n\t
                                          \ \"import\", \"let\", \"loop\", \"package\",
                                          \"namespace\", \"return\".\nExamples:\n
                                          \ - Expression accessing a property named
                                          \"namespace\": {\"Expression\": \"object.__namespace__
                                          > 0\"}\n  - Expression accessing a property
                                          named \"x-prop\": {\"Expression\": \"object.x__dash__prop
                                          > 0\"}\n  - Expression accessing a property
                                          named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
                                          > 0\"}\n\n\nEquality on arrays with list
                                          type of 'set' or 'map' ignores element order,
                                          i.e. [1, 2] == [2, 1].\nConcatenation on
                                          arrays with x-kubernetes-list-type use the
                                          semantics of the list type:\n  - 'set':
                                          `X + Y` performs a union where the array
                                          positions of all elements in `X` are preserved
                                          and\n    non-intersecting elements in `Y`
                                          are appended, retaining their partial order.\n
                                          \ - 'map': `X + Y` performs a merge where
                                          the array positions of all keys in `X` are
                                          preserved but the values\n    are overwritten
                                          by values in `Y` when the key sets of `X`
                                          and `Y` intersect. Elements in `Y` with\n
                                          \   non-intersecting keys are appended,
                                          retaining their partial order.\nRequired."
                                        type: string
                                      message:
                                        description: |-
                                          Message represents the message displayed when validation fails. The message is required if the Expression contains
                                          line breaks. The message must not contain line breaks.
                                          If unset, the message is "failed rule: {Rule}".
                                          e.g. "must be a URL with the host matching spec.host"
                                          If the Expression contains line breaks. Message is required.
                                          The message must not contain line breaks.
                                          If unset, the message is "failed Expression: {Expression}".
                                        type: string
                                      messageExpression:
                                        description: |-
                                          messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
                                          Since messageExpression is used as a failure message, it must evaluate to a string.
                                          If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
                                          If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
                                          as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
                                          that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
                                          the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
                                          messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
                                          Example:
                                          "object.x must be less than max ("+string(params.max)+")"
                                        type: string
                                      reason:
                                        description: |-
                                          Reason represents a machine-readable description of why this validation failed.
                                          If this is the first validation in the list to fail, this reason, as well as the
                                          corresponding HTTP response code, are used in the
                                          HTTP response to the client.
                                          The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
                                          If not set, StatusReasonInvalid is used in the response to the client.
                                        type: string
                                    required:
                                    - expression
                                    type: object
                                  type: array
                                paramKind:
                                  description: ParamKind is a tuple of Group Kind
                                    and Version.
                                  properties:
                                    apiVersion:
                                      description: |-
                                        APIVersion is the API group version the resources belong to.
                                        In format of "group/version".
                                        Required.
                                      type: string
                                    kind:
                                      description: |-
                                        Kind is the API kind the resources belong to.
                                        Required.
                                      type: string
                                  type: object
                                  x-kubernetes-map-type: atomic
                                paramRef:
                                  description: ParamRef references a parameter resource.
                                  properties:
                                    name:
                                      description: |-
                                        `name` is the name of the resource being referenced.


                                        `name` and `selector` are mutually exclusive properties. If one is set,
                                        the other must be unset.
                                      type: string
                                    namespace:
                                      description: |-
                                        namespace is the namespace of the referenced resource. Allows limiting
                                        the search for params to a specific namespace. Applies to both `name` and
                                        `selector` fields.


                                        A per-namespace parameter may be used by specifying a namespace-scoped
                                        `paramKind` in the policy and leaving this field empty.


                                        - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
                                        field results in a configuration error.


                                        - If `paramKind` is namespace-scoped, the namespace of the object being
                                        evaluated for admission will be used when this field is left unset. Take
                                        care that if this is left empty the binding must not match any cluster-scoped
                                        resources, which will result in an error.
                                      type: string
                                    parameterNotFoundAction:
                                      description: |-
                                        `parameterNotFoundAction` controls the behavior of the binding when the resource
                                        exists, and name or selector is valid, but there are no parameters
                                        matched by the binding. If the value is set to `Allow`, then no
                                        matched parameters will be treated as successful validation by the binding.
                                        If set to `Deny`, then no matched parameters will be subject to the
                                        `failurePolicy` of the policy.


                                        Allowed values are `Allow` or `Deny`
                                        Default to `Deny`
                                      type: string
                                    selector:
                                      description: |-
                                        selector can be used to match multiple param objects based on their labels.
                                        Supply selector: {} to match all resources of the ParamKind.


                                        If multiple params are found, they are all evaluated with the policy expressions
                                        and the results are ANDed together.


                                        One of `name` or `selector` must be set, but `name` and `selector` are
                                        mutually exclusive properties. If one is set, the other must be unset.
                                      properties:
                                        matchExpressions:
                                          description: matchExpressions is a list
                                            of label selector requirements. The requirements
                                            are ANDed.
                                          items:
                                            description: |-
                                              A label selector requirement is a selector that contains values, a key, and an operator that
                                              relates the key and values.
                                            properties:
                                              key:
                                                description: key is the label key
                                                  that the selector applies to.
                                                type: string
                                              operator:
                                                description: |-
                                                  operator represents a key's relationship to a set of values.
                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
                                                type: string
                                              values:
                                                description: |-
                                                  values is an array of string values. If the operator is In or NotIn,
                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                  the values array must be empty. This array is replaced during a strategic
                                                  merge patch.
                                                items:
                                                  type: string
                                                type: array
                                                x-kubernetes-list-type: atomic
                                            required:
                                            - key
                                            - operator
                                            type: object
                                          type: array
                                          x-kubernetes-list-type: atomic
                                        matchLabels:
                                          additionalProperties:
                                            type: string
                                          description: |-
                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
                                          type: object
                                      type: object
                                      x-kubernetes-map-type: atomic
                                  type: object
                                  x-kubernetes-map-type: atomic
                                variables:
                                  description: |-
                                    Variables contain definitions of variables that can be used in composition of other expressions.
                                    Each variable is defined as a named CEL expression.
                                    The variables defined here will be available under `variables` in other expressions of the policy.
                                  items:
                                    description: Variable is the definition of a variable
                                      that is used for composition.
                                    properties:
                                      expression:
                                        description: |-
                                          Expression is the expression that will be evaluated as the value of the variable.
                                          The CEL expression has access to the same identifiers as the CEL expressions in Validation.
                                        type: string
                                      name:
                                        description: |-
                                          Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
                                          The variable can be accessed in other expressions through `variables`
                                          For example, if name is "foo", the variable will be available as `variables.foo`
                                        type: string
                                    required:
                                    - expression
                                    - name
                                    type: object
                                  type: array
                              type: object
                            deny:
                              description: Deny defines conditions used to pass or
                                fail a validation rule.
                              properties:
                                conditions:
                                  description: |-
                                    Multiple conditions can be declared under an `any` or `all` statement. A direct list
                                    of conditions (without `any` or `all` statements) is also supported for backwards compatibility
                                    but will be deprecated in the next major release.
                                    See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
                                  x-kubernetes-preserve-unknown-fields: true
                              type: object
                            foreach:
                              description: ForEach applies validate rules to a list
                                of sub-elements by creating a context for each entry
                                in the list and looping over it to apply the specified
                                logic.
                              items:
                                description: ForEachValidation applies validate rules
                                  to a list of sub-elements by creating a context
                                  for each entry in the list and looping over it to
                                  apply the specified logic.
                                properties:
                                  anyPattern:
                                    description: |-
                                      AnyPattern specifies list of validation patterns. At least one of the patterns
                                      must be satisfied for the validation rule to succeed.
                                    x-kubernetes-preserve-unknown-fields: true
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: |-
                                        ContextEntry adds variables and data sources to a rule Context. Either a
                                        ConfigMap reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: |-
                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                            The data returned is stored in the context with the name for the context entry.
                                          properties:
                                            data:
                                              description: |-
                                                The data object specifies the POST data sent to the server.
                                                Only applicable when the method field is set to POST.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST). Defaults to GET.
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: |-
                                                Service is an API call to a JSON web service.
                                                This is used for non-Kubernetes API server calls.
                                                It's mutually exclusive with the URLPath field.
                                              properties:
                                                caBundle:
                                                  description: |-
                                                    CABundle is a PEM encoded CA bundle which will be used to validate
                                                    the server certificate.
                                                  type: string
                                                url:
                                                  description: |-
                                                    URL is the JSON web service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: |-
                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                                It's mutually exclusive with the Service field.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        globalReference:
                                          description: GlobalContextEntryReference
                                            is a reference to a cached global context
                                            entry.
                                          properties:
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            name:
                                              description: Name of the global context
                                                entry
                                              type: string
                                          type: object
                                        imageRegistry:
                                          description: |-
                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                            details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry.
                                                  type: boolean
                                                providers:
                                                  description: |-
                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                    It can be of one of these values: default,google,azure,amazon,github.
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: |-
                                                    Secrets specifies a list of secrets that are provided for credentials.
                                                    Secrets must live in the Kyverno namespace.
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the ImageData struct returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: |-
                                                Reference is image reference to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: |-
                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                                expression evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JMESPath Expression that can be used to
                                                transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  deny:
                                    description: Deny defines conditions used to pass
                                      or fail a validation rule.
                                    properties:
                                      conditions:
                                        description: |-
                                          Multiple conditions can be declared under an `any` or `all` statement. A direct list
                                          of conditions (without `any` or `all` statements) is also supported for backwards compatibility
                                          but will be deprecated in the next major release.
                                          See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
                                        x-kubernetes-preserve-unknown-fields: true
                                    type: object
                                  elementScope:
                                    description: |-
                                      ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
                                      When set to "false", "request.object" is used as the validation scope within the foreach
                                      block to allow referencing other elements in the subtree.
                                    type: boolean
                                  foreach:
                                    description: Foreach declares a nested foreach
                                      iterator
                                    x-kubernetes-preserve-unknown-fields: true
                                  list:
                                    description: |-
                                      List specifies a JMESPath expression that results in one or more elements
                                      to which the validation logic is applied.
                                    type: string
                                  pattern:
                                    description: Pattern specifies an overlay-style
                                      pattern used to check resources.
                                    x-kubernetes-preserve-unknown-fields: true
                                  preconditions:
                                    description: |-
                                      AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
                                      set of conditions. The declaration can contain nested `any` or `all` statements.
                                      See: https://kyverno.io/docs/writing-policies/preconditions/
                                    properties:
                                      all:
                                        description: |-
                                          AllConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, all of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: |-
                                          AnyConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, at least one of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              type: array
                            manifests:
                              description: Manifest specifies conditions for manifest
                                verification
                              properties:
                                annotationDomain:
                                  description: AnnotationDomain is custom domain of
                                    annotation for message and signature. Default
                                    is "cosign.sigstore.dev".
                                  type: string
                                attestors:
                                  description: Attestors specified the required attestors
                                    (i.e. authorities)
                                  items:
                                    properties:
                                      count:
                                        description: |-
                                          Count specifies the required number of entries that must match. If the count is null, all entries must match
                                          (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                          value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                        minimum: 1
                                        type: integer
                                      entries:
                                        description: |-
                                          Entries contains the available attestors. An attestor can be a static key,
                                          attributes for keyless verification, or a nested attestor declaration.
                                        items:
                                          properties:
                                            annotations:
                                              additionalProperties:
                                                type: string
                                              description: |-
                                                Annotations are used for image verification.
                                                Every specified key-value pair must exist and match in the verified payload.
                                                The payload may contain other key-value pairs.
                                              type: object
                                            attestor:
                                              description: Attestor is a nested set
                                                of Attestor used to specify a more
                                                complex set of match authorities.
                                              x-kubernetes-preserve-unknown-fields: true
                                            certificates:
                                              description: Certificates specifies
                                                one or more certificates.
                                              properties:
                                                cert:
                                                  description: Cert is an optional
                                                    PEM-encoded public certificate.
                                                  type: string
                                                certChain:
                                                  description: CertChain is an optional
                                                    PEM encoded set of certificates
                                                    used to verify.
                                                  type: string
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                              type: object
                                            keyless:
                                              description: |-
                                                Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                                See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                              properties:
                                                additionalExtensions:
                                                  additionalProperties:
                                                    type: string
                                                  description: AdditionalExtensions
                                                    are certificate-extensions used
                                                    for keyless signing.
                                                  type: object
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                issuer:
                                                  description: Issuer is the certificate
                                                    issuer used for keyless signing.
                                                  type: string
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                                roots:
                                                  description: |-
                                                    Roots is an optional set of PEM encoded trusted root certificates.
                                                    If not provided, the system roots are used.
                                                  type: string
                                                subject:
                                                  description: Subject is the verified
                                                    identity used for keyless signing,
                                                    for example the email address.
                                                  type: string
                                              type: object
                                            keys:
                                              description: Keys specifies one or more
                                                public keys.
                                              properties:
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                kms:
                                                  description: |-
                                                    KMS provides the URI to the public key stored in a Key Management System. See:
                                                    https://github.com/sigstore/cosign/blob/main/KMS.md
                                                  type: string
                                                publicKeys:
                                                  description: |-
                                                    Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                                    specified or can be a variable reference to a key specified in a ConfigMap (see
                                                    https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                                    elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                    The named Secret must specify a key `cosign.pub` containing the public key used for
                                                    verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                    When multiple keys are specified each key is processed as a separate staticKey entry
                                                    (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                                  type: string
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                                secret:
                                                  description: Reference to a Secret
                                                    resource that contains a public
                                                    key
                                                  properties:
                                                    name:
                                                      description: Name of the secret.
                                                        The provided secret must contain
                                                        a key named cosign.pub.
                                                      type: string
                                                    namespace:
                                                      description: Namespace name
                                                        where the Secret exists.
                                                      type: string
                                                  required:
                                                  - name
                                                  - namespace
                                                  type: object
                                                signatureAlgorithm:
                                                  default: sha256
                                                  description: Specify signature algorithm
                                                    for public keys. Supported values
                                                    are sha224, sha256, sha384 and
                                                    sha512.
                                                  type: string
                                              type: object
                                            repository:
                                              description: |-
                                                Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                                If specified Repository will override other OCI image repository locations for this Attestor.
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                dryRun:
                                  description: DryRun configuration
                                  properties:
                                    enable:
                                      type: boolean
                                    namespace:
                                      type: string
                                  type: object
                                ignoreFields:
                                  description: Fields which will be ignored while
                                    comparing manifests.
                                  items:
                                    properties:
                                      fields:
                                        items:
                                          type: string
                                        type: array
                                      objects:
                                        items:
                                          properties:
                                            group:
                                              type: string
                                            kind:
                                              type: string
                                            name:
                                              type: string
                                            namespace:
                                              type: string
                                            version:
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                repository:
                                  description: |-
                                    Repository is an optional alternate OCI repository to use for resource bundle reference.
                                    The repository can be overridden per Attestor or Attestation.
                                  type: string
                              type: object
                            message:
                              description: Message specifies a custom message to be
                                displayed on failure.
                              type: string
                            pattern:
                              description: Pattern specifies an overlay-style pattern
                                used to check resources.
                              x-kubernetes-preserve-unknown-fields: true
                            podSecurity:
                              description: |-
                                PodSecurity applies exemptions for Kubernetes Pod Security admission
                                by specifying exclusions for Pod Security Standards controls.
                              properties:
                                exclude:
                                  description: Exclude specifies the Pod Security
                                    Standard controls to be excluded.
                                  items:
                                    description: PodSecurityStandard specifies the
                                      Pod Security Standard controls to be excluded.
                                    properties:
                                      controlName:
                                        description: |-
                                          ControlName specifies the name of the Pod Security Standard control.
                                          See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
                                        enum:
                                        - HostProcess
                                        - Host Namespaces
                                        - Privileged Containers
                                        - Capabilities
                                        - HostPath Volumes
                                        - Host Ports
                                        - AppArmor
                                        - SELinux
                                        - /proc Mount Type
                                        - Seccomp
                                        - Sysctls
                                        - Volume Types
                                        - Privilege Escalation
                                        - Running as Non-root
                                        - Running as Non-root user
                                        type: string
                                      images:
                                        description: |-
                                          Images selects matching containers and applies the container level PSS.
                                          Each image is the image name consisting of the registry address, repository, image, and tag.
                                          Empty list matches no containers, PSS checks are applied at the pod level only.
                                          Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                                        items:
                                          type: string
                                        type: array
                                      restrictedField:
                                        description: |-
                                          RestrictedField selects the field for the given Pod Security Standard control.
                                          When not set, all restricted fields for the control are selected.
                                        type: string
                                      values:
                                        description: Values defines the allowed values
                                          that can be excluded.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - controlName
                                    type: object
                                  type: array
                                level:
                                  description: |-
                                    Level defines the Pod Security Standard level to be applied to workloads.
                                    Allowed values are privileged, baseline, and restricted.
                                  enum:
                                  - privileged
                                  - baseline
                                  - restricted
                                  type: string
                                version:
                                  description: |-
                                    Version defines the Pod Security Standard versions that Kubernetes supports.
                                    Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
                                  enum:
                                  - v1.19
                                  - v1.20
                                  - v1.21
                                  - v1.22
                                  - v1.23
                                  - v1.24
                                  - v1.25
                                  - v1.26
                                  - v1.27
                                  - v1.28
                                  - v1.29
                                  - latest
                                  type: string
                              type: object
                            validationFailureAction:
                              description: |-
                                ValidationFailureAction defines if a validation policy rule violation should block
                                the admission review request (enforce), or allow (audit) the admission review request
                                and report an error in a policy report. Optional.
                                Allowed values are audit or enforce.
                              enum:
                              - audit
                              - enforce
                              - Audit
                              - Enforce
                              type: string
                            validationFailureActionOverrides:
                              description: |-
                                ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
                                namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
                              items:
                                properties:
                                  action:
                                    description: ValidationFailureAction defines the
                                      policy validation failure action
                                    enum:
                                    - audit
                                    - enforce
                                    - Audit
                                    - Enforce
                                    type: string
                                  namespaceSelector:
                                    description: |-
                                      A label selector is a label query over a set of resources. The result of matchLabels and
                                      matchExpressions are ANDed. An empty label selector matches all objects. A null
                                      label selector matches no objects.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    items:
                                      type: string
                                    type: array
                                type: object
                              type: array
                          type: object
                        verifyImages:
                          description: VerifyImages is used to verify image signatures
                            and mutate them to add a digest
                          items:
                            description: |-
                              ImageVerification validates that images that match the specified pattern
                              are signed with the supplied public key. Once the image is verified it is
                              mutated to include the SHA digest retrieved during the registration.
                            properties:
                              additionalExtensions:
                                additionalProperties:
                                  type: string
                                description: Deprecated.
                                type: object
                              annotations:
                                additionalProperties:
                                  type: string
                                description: Deprecated. Use annotations per Attestor
                                  instead.
                                type: object
                              attestations:
                                description: |-
                                  Attestations are optional checks for signed in-toto Statements used to verify the image.
                                  See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
                                  OCI registry and decodes them into a list of Statement declarations.
                                items:
                                  description: |-
                                    Attestation are checks for signed in-toto Statements that are used to verify the image.
                                    See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
                                    OCI registry and decodes them into a list of Statements.
                                  properties:
                                    attestors:
                                      description: Attestors specify the required
                                        attestors (i.e. authorities).
                                      items:
                                        properties:
                                          count:
                                            description: |-
                                              Count specifies the required number of entries that must match. If the count is null, all entries must match
                                              (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                              value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                            minimum: 1
                                            type: integer
                                          entries:
                                            description: |-
                                              Entries contains the available attestors. An attestor can be a static key,
                                              attributes for keyless verification, or a nested attestor declaration.
                                            items:
                                              properties:
                                                annotations:
                                                  additionalProperties:
                                                    type: string
                                                  description: |-
                                                    Annotations are used for image verification.
                                                    Every specified key-value pair must exist and match in the verified payload.
                                                    The payload may contain other key-value pairs.
                                                  type: object
                                                attestor:
                                                  description: Attestor is a nested
                                                    set of Attestor used to specify
                                                    a more complex set of match authorities.
                                                  x-kubernetes-preserve-unknown-fields: true
                                                certificates:
                                                  description: Certificates specifies
                                                    one or more certificates.
                                                  properties:
                                                    cert:
                                                      description: Cert is an optional
                                                        PEM-encoded public certificate.
                                                      type: string
                                                    certChain:
                                                      description: CertChain is an
                                                        optional PEM encoded set of
                                                        certificates used to verify.
                                                      type: string
                                                    ctlog:
                                                      description: |-
                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: |-
                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                            timestamp. Default is false. Set to true if this was opted out during signing.
                                                          type: boolean
                                                        pubkey:
                                                          description: PubKey, if
                                                            set, is used to validate
                                                            SCTs against a custom
                                                            source.
                                                          type: string
                                                        tsaCertChain:
                                                          description: |-
                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                            may contain the leaf TSA certificate if not present in the timestamurce.
                                                          type: string
                                                      type: object
                                                    rekor:
                                                      description: |-
                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                      properties:
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skips transparency log
                                                            verification.
                                                          type: boolean
                                                        pubkey:
                                                          description: |-
                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            Rekor log instance https://rekor.sigstore.dev.
                                                          type: string
                                                      type: object
                                                  type: object
                                                keyless:
                                                  description: |-
                                                    Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                                    See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                                  properties:
                                                    additionalExtensions:
                                                      additionalProperties:
                                                        type: string
                                                      description: AdditionalExtensions
                                                        are certificate-extensions
                                                        used for keyless signing.
                                                      type: object
                                                    ctlog:
                                                      description: |-
                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: |-
                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                            timestamp. Default is false. Set to true if this was opted out during signing.
                                                          type: boolean
                                                        pubkey:
                                                          description: PubKey, if
                                                            set, is used to validate
                                                            SCTs against a custom
                                                            source.
                                                          type: string
                                                        tsaCertChain:
                                                          description: |-
                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                            may contain the leaf TSA certificate if not present in the timestamurce.
                                                          type: string
                                                      type: object
                                                    issuer:
                                                      description: Issuer is the certificate
                                                        issuer used for keyless signing.
                                                      type: string
                                                    rekor:
                                                      description: |-
                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                      properties:
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skips transparency log
                                                            verification.
                                                          type: boolean
                                                        pubkey:
                                                          description: |-
                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            Rekor log instance https://rekor.sigstore.dev.
                                                          type: string
                                                      type: object
                                                    roots:
                                                      description: |-
                                                        Roots is an optional set of PEM encoded trusted root certificates.
                                                        If not provided, the system roots are used.
                                                      type: string
                                                    subject:
                                                      description: Subject is the
                                                        verified identity used for
                                                        keyless signing, for example
                                                        the email address.
                                                      type: string
                                                  type: object
                                                keys:
                                                  description: Keys specifies one
                                                    or more public keys.
                                                  properties:
                                                    ctlog:
                                                      description: |-
                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: |-
                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                            timestamp. Default is false. Set to true if this was opted out during signing.
                                                          type: boolean
                                                        pubkey:
                                                          description: PubKey, if
                                                            set, is used to validate
                                                            SCTs against a custom
                                                            source.
                                                          type: string
                                                        tsaCertChain:
                                                          description: |-
                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                            may contain the leaf TSA certificate if not present in the timestamurce.
                                                          type: string
                                                      type: object
                                                    kms:
                                                      description: |-
                                                        KMS provides the URI to the public key stored in a Key Management System. See:
                                                        https://github.com/sigstore/cosign/blob/main/KMS.md
                                                      type: string
                                                    publicKeys:
                                                      description: |-
                                                        Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                                        specified or can be a variable reference to a key specified in a ConfigMap (see
                                                        https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                                        elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                        The named Secret must specify a key `cosign.pub` containing the public key used for
                                                        verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                        When multiple keys are specified each key is processed as a separate staticKey entry
                                                        (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                                      type: string
                                                    rekor:
                                                      description: |-
                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                      properties:
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skips transparency log
                                                            verification.
                                                          type: boolean
                                                        pubkey:
                                                          description: |-
                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            Rekor log instance https://rekor.sigstore.dev.
                                                          type: string
                                                      type: object
                                                    secret:
                                                      description: Reference to a
                                                        Secret resource that contains
                                                        a public key
                                                      properties:
                                                        name:
                                                          description: Name of the
                                                            secret. The provided secret
                                                            must contain a key named
                                                            cosign.pub.
                                                          type: string
                                                        namespace:
                                                          description: Namespace name
                                                            where the Secret exists.
                                                          type: string
                                                      required:
                                                      - name
                                                      - namespace
                                                      type: object
                                                    signatureAlgorithm:
                                                      default: sha256
                                                      description: Specify signature
                                                        algorithm for public keys.
                                                        Supported values are sha224,
                                                        sha256, sha384 and sha512.
                                                      type: string
                                                  type: object
                                                repository:
                                                  description: |-
                                                    Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                                    If specified Repository will override other OCI image repository locations for this Attestor.
                                                  type: string
                                              type: object
                                            type: array
                                        type: object
                                      type: array
                                    conditions:
                                      description: |-
                                        Conditions are used to verify attributes within a Predicate. If no Conditions are specified
                                        the attestation check is satisfied as long there are predicates that match the predicate type.
                                      items:
                                        description: |-
                                          AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
                                          AnyConditions get fulfilled when at least one of its sub-conditions passes.
                                          AllConditions get fulfilled only when all of its sub-conditions pass.
                                        properties:
                                          all:
                                            description: |-
                                              AllConditions enable variable-based conditional rule execution. This is useful for
                                              finer control of when an rule is applied. A condition can reference object data
                                              using JMESPath notation.
                                              Here, all of the conditions need to pass
                                            items:
                                              description: Condition defines variable-based
                                                conditional criteria for rule execution.
                                              properties:
                                                key:
                                                  description: Key is the context
                                                    entry (using JMESPath) for conditional
                                                    rule evaluation.
                                                  x-kubernetes-preserve-unknown-fields: true
                                                message:
                                                  description: Message is an optional
                                                    display message
                                                  type: string
                                                operator:
                                                  description: |-
                                                    Operator is the conditional operation to perform. Valid operators are:
                                                    Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                    GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                    DurationLessThanOrEquals, DurationLessThan
                                                  enum:
                                                  - Equals
                                                  - NotEquals
                                                  - In
                                                  - AnyIn
                                                  - AllIn
                                                  - NotIn
                                                  - AnyNotIn
                                                  - AllNotIn
                                                  - GreaterThanOrEquals
                                                  - GreaterThan
                                                  - LessThanOrEquals
                                                  - LessThan
                                                  - DurationGreaterThanOrEquals
                                                  - DurationGreaterThan
                                                  - DurationLessThanOrEquals
                                                  - DurationLessThan
                                                  type: string
                                                value:
                                                  description: |-
                                                    Value is the conditional value, or set of values. The values can be fixed set
                                                    or can be variables declared using JMESPath.
                                                  x-kubernetes-preserve-unknown-fields: true
                                              type: object
                                            type: array
                                          any:
                                            description: |-
                                              AnyConditions enable variable-based conditional rule execution. This is useful for
                                              finer control of when an rule is applied. A condition can reference object data
                                              using JMESPath notation.
                                              Here, at least one of the conditions need to pass
                                            items:
                                              description: Condition defines variable-based
                                                conditional criteria for rule execution.
                                              properties:
                                                key:
                                                  description: Key is the context
                                                    entry (using JMESPath) for conditional
                                                    rule evaluation.
                                                  x-kubernetes-preserve-unknown-fields: true
                                                message:
                                                  description: Message is an optional
                                                    display message
                                                  type: string
                                                operator:
                                                  description: |-
                                                    Operator is the conditional operation to perform. Valid operators are:
                                                    Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                    GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                    DurationLessThanOrEquals, DurationLessThan
                                                  enum:
                                                  - Equals
                                                  - NotEquals
                                                  - In
                                                  - AnyIn
                                                  - AllIn
                                                  - NotIn
                                                  - AnyNotIn
                                                  - AllNotIn
                                                  - GreaterThanOrEquals
                                                  - GreaterThan
                                                  - LessThanOrEquals
                                                  - LessThan
                                                  - DurationGreaterThanOrEquals
                                                  - DurationGreaterThan
                                                  - DurationLessThanOrEquals
                                                  - DurationLessThan
                                                  type: string
                                                value:
                                                  description: |-
                                                    Value is the conditional value, or set of values. The values can be fixed set
                                                    or can be variables declared using JMESPath.
                                                  x-kubernetes-preserve-unknown-fields: true
                                              type: object
                                            type: array
                                        type: object
                                      type: array
                                    predicateType:
                                      description: Deprecated in favour of 'Type',
                                        to be removed soon
                                      type: string
                                    type:
                                      description: Type defines the type of attestation
                                        contained within the Statement.
                                      type: string
                                  type: object
                                type: array
                              attestors:
                                description: Attestors specified the required attestors
                                  (i.e. authorities)
                                items:
                                  properties:
                                    count:
                                      description: |-
                                        Count specifies the required number of entries that must match. If the count is null, all entries must match
                                        (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                        value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                      minimum: 1
                                      type: integer
                                    entries:
                                      description: |-
                                        Entries contains the available attestors. An attestor can be a static key,
                                        attributes for keyless verification, or a nested attestor declaration.
                                      items:
                                        properties:
                                          annotations:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              Annotations are used for image verification.
                                              Every specified key-value pair must exist and match in the verified payload.
                                              The payload may contain other key-value pairs.
                                            type: object
                                          attestor:
                                            description: Attestor is a nested set
                                              of Attestor used to specify a more complex
                                              set of match authorities.
                                            x-kubernetes-preserve-unknown-fields: true
                                          certificates:
                                            description: Certificates specifies one
                                              or more certificates.
                                            properties:
                                              cert:
                                                description: Cert is an optional PEM-encoded
                                                  public certificate.
                                                type: string
                                              certChain:
                                                description: CertChain is an optional
                                                  PEM encoded set of certificates
                                                  used to verify.
                                                type: string
                                              ctlog:
                                                description: |-
                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: |-
                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                      timestamp. Default is false. Set to true if this was opted out during signing.
                                                    type: boolean
                                                  pubkey:
                                                    description: PubKey, if set, is
                                                      used to validate SCTs against
                                                      a custom source.
                                                    type: string
                                                  tsaCertChain:
                                                    description: |-
                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                      may contain the leaf TSA certificate if not present in the timestamurce.
                                                    type: string
                                                type: object
                                              rekor:
                                                description: |-
                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                properties:
                                                  ignoreTlog:
                                                    description: IgnoreTlog skips
                                                      transparency log verification.
                                                    type: boolean
                                                  pubkey:
                                                    description: |-
                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public Rekor log instance
                                                      https://rekor.sigstore.dev.
                                                    type: string
                                                type: object
                                            type: object
                                          keyless:
                                            description: |-
                                              Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                              See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                            properties:
                                              additionalExtensions:
                                                additionalProperties:
                                                  type: string
                                                description: AdditionalExtensions
                                                  are certificate-extensions used
                                                  for keyless signing.
                                                type: object
                                              ctlog:
                                                description: |-
                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: |-
                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                      timestamp. Default is false. Set to true if this was opted out during signing.
                                                    type: boolean
                                                  pubkey:
                                                    description: PubKey, if set, is
                                                      used to validate SCTs against
                                                      a custom source.
                                                    type: string
                                                  tsaCertChain:
                                                    description: |-
                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                      may contain the leaf TSA certificate if not present in the timestamurce.
                                                    type: string
                                                type: object
                                              issuer:
                                                description: Issuer is the certificate
                                                  issuer used for keyless signing.
                                                type: string
                                              rekor:
                                                description: |-
                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                properties:
                                                  ignoreTlog:
                                                    description: IgnoreTlog skips
                                                      transparency log verification.
                                                    type: boolean
                                                  pubkey:
                                                    description: |-
                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public Rekor log instance
                                                      https://rekor.sigstore.dev.
                                                    type: string
                                                type: object
                                              roots:
                                                description: |-
                                                  Roots is an optional set of PEM encoded trusted root certificates.
                                                  If not provided, the system roots are used.
                                                type: string
                                              subject:
                                                description: Subject is the verified
                                                  identity used for keyless signing,
                                                  for example the email address.
                                                type: string
                                            type: object
                                          keys:
                                            description: Keys specifies one or more
                                              public keys.
                                            properties:
                                              ctlog:
                                                description: |-
                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: |-
                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                      timestamp. Default is false. Set to true if this was opted out during signing.
                                                    type: boolean
                                                  pubkey:
                                                    description: PubKey, if set, is
                                                      used to validate SCTs against
                                                      a custom source.
                                                    type: string
                                                  tsaCertChain:
                                                    description: |-
                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                      may contain the leaf TSA certificate if not present in the timestamurce.
                                                    type: string
                                                type: object
                                              kms:
                                                description: |-
                                                  KMS provides the URI to the public key stored in a Key Management System. See:
                                                  https://github.com/sigstore/cosign/blob/main/KMS.md
                                                type: string
                                              publicKeys:
                                                description: |-
                                                  Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                                  specified or can be a variable reference to a key specified in a ConfigMap (see
                                                  https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                                  elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                  The named Secret must specify a key `cosign.pub` containing the public key used for
                                                  verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                  When multiple keys are specified each key is processed as a separate staticKey entry
                                                  (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                                type: string
                                              rekor:
                                                description: |-
                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                properties:
                                                  ignoreTlog:
                                                    description: IgnoreTlog skips
                                                      transparency log verification.
                                                    type: boolean
                                                  pubkey:
                                                    description: |-
                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public Rekor log instance
                                                      https://rekor.sigstore.dev.
                                                    type: string
                                                type: object
                                              secret:
                                                description: Reference to a Secret
                                                  resource that contains a public
                                                  key
                                                properties:
                                                  name:
                                                    description: Name of the secret.
                                                      The provided secret must contain
                                                      a key named cosign.pub.
                                                    type: string
                                                  namespace:
                                                    description: Namespace name where
                                                      the Secret exists.
                                                    type: string
                                                required:
                                                - name
                                                - namespace
                                                type: object
                                              signatureAlgorithm:
                                                default: sha256
                                                description: Specify signature algorithm
                                                  for public keys. Supported values
                                                  are sha224, sha256, sha384 and sha512.
                                                type: string
                                            type: object
                                          repository:
                                            description: |-
                                              Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                              If specified Repository will override other OCI image repository locations for this Attestor.
                                            type: string
                                        type: object
                                      type: array
                                  type: object
                                type: array
                              cosignOCI11:
                                description: |-
                                  CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
                                  Defaults to false.
                                type: boolean
                              image:
                                description: Deprecated. Use ImageReferences instead.
                                type: string
                              imageReferences:
                                description: |-
                                  ImageReferences is a list of matching image reference patterns. At least one pattern in the
                                  list must match the image for the rule to apply. Each image reference consists of a registry
                                  address (defaults to docker.io), repository, image, and tag (defaults to latest).
                                  Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                                items:
                                  type: string
                                type: array
                              imageRegistryCredentials:
                                description: ImageRegistryCredentials provides credentials
                                  that will be used for authentication with registry.
                                properties:
                                  allowInsecureRegistry:
                                    description: AllowInsecureRegistry allows insecure
                                      access to a registry.
                                    type: boolean
                                  providers:
                                    description: |-
                                      Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                      It can be of one of these values: default,google,azure,amazon,github.
                                    items:
                                      description: ImageRegistryCredentialsProvidersType
                                        provides the list of credential providers
                                        required.
                                      enum:
                                      - default
                                      - amazon
                                      - azure
                                      - google
                                      - github
                                      type: string
                                    type: array
                                  secrets:
                                    description: |-
                                      Secrets specifies a list of secrets that are provided for credentials.
                                      Secrets must live in the Kyverno namespace.
                                    items:
                                      type: string
                                    type: array
                                type: object
                              issuer:
                                description: Deprecated. Use KeylessAttestor instead.
                                type: string
                              key:
                                description: Deprecated. Use StaticKeyAttestor instead.
                                type: string
                              mutateDigest:
                                default: true
                                description: |-
                                  MutateDigest enables replacement of image tags with digests.
                                  Defaults to true.
                                type: boolean
                              repository:
                                description: |-
                                  Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
                                  If specified Repository will override the default OCI image repository configured for the installation.
                                  The repository can also be overridden per Attestor or Attestation.
                                type: string
                              required:
                                default: true
                                description: Required validates that images are verified
                                  i.e. have matched passed a signature or attestation
                                  check.
                                type: boolean
                              roots:
                                description: Deprecated. Use KeylessAttestor instead.
                                type: string
                              skipImageReferences:
                                description: |-
                                  SkipImageReferences is a list of matching image reference patterns that should be skipped.
                                  At least one pattern in the list must match the image for the rule to be skipped. Each image reference
                                  consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
                                  Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                                items:
                                  type: string
                                type: array
                              subject:
                                description: Deprecated. Use KeylessAttestor instead.
                                type: string
                              type:
                                description: |-
                                  Type specifies the method of signature validation. The allowed options
                                  are Cosign and Notary. By default Cosign is used if a type is not specified.
                                enum:
                                - Cosign
                                - Notary
                                type: string
                              useCache:
                                default: true
                                description: UseCache enables caching of image verify
                                  responses for this rule.
                                type: boolean
                              verifyDigest:
                                default: true
                                description: VerifyDigest validates that images have
                                  a digest.
                                type: boolean
                            type: object
                          type: array
                      required:
                      - name
                      type: object
                    type: array
                type: object
              conditions:
                items:
                  description: "Condition contains details for one aspect of the current
                    state of this API Resource.\n---\nThis struct is intended for
                    direct use as an array at the field path .status.conditions.  For
                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
                    observations of a foo's current state.\n\t    // Known .status.conditions.type
                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
                    \   // other fields\n\t}"
                  properties:
                    lastTransitionTime:
                      description: |-
                        lastTransitionTime is the last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
                        message is a human readable message indicating details about the transition.
                        This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
                      description: |-
                        observedGeneration represents the .metadata.generation that the condition was set based upon.
                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
                        with respect to the current state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
                      description: |-
                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
                        Producers of specific condition types may define expected values and meanings for this field,
                        and whether the values are considered a guaranteed API.
                        The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
                      enum:
                      - "True"
                      - "False"
                      - Unknown
                      type: string
                    type:
                      description: |-
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        ---
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
                        useful (see .node.status.conditions), the ability to deconflict is important.
                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
                  required:
                  - lastTransitionTime
                  - message
                  - reason
                  - status
                  - type
                  type: object
                type: array
              ready:
                description: Deprecated in favor of Conditions
                type: boolean
              rulecount:
                description: |-
                  RuleCountStatus contains four variables which describes counts for
                  validate, generate, mutate and verify images rules
                properties:
                  generate:
                    description: Count for generate rules in policy
                    type: integer
                  mutate:
                    description: Count for mutate rules in policy
                    type: integer
                  validate:
                    description: Count for validate rules in policy
                    type: integer
                  verifyimages:
                    description: Count for verify image rules in policy
                    type: integer
                required:
                - generate
                - mutate
                - validate
                - verifyimages
                type: object
              validatingadmissionpolicy:
                description: ValidatingAdmissionPolicy contains status information
                properties:
                  generated:
                    description: Generated indicates whether a validating admission
                      policy is generated from the policy or not
                    type: boolean
                  message:
                    description: |-
                      Message is a human readable message indicating details about the generation of validating admission policy
                      It is an empty string when validating admission policy is successfully generated.
                    type: string
                required:
                - generated
                - message
                type: object
            required:
            - ready
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
  - additionalPrinterColumns:
    - jsonPath: .spec.admission
      name: ADMISSION
      type: boolean
    - jsonPath: .spec.background
      name: BACKGROUND
      type: boolean
    - jsonPath: .spec.validationFailureAction
      name: VALIDATE ACTION
      type: string
    - jsonPath: .status.conditions[?(@.type == "Ready")].status
      name: READY
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: AGE
      type: date
    - jsonPath: .spec.failurePolicy
      name: FAILURE POLICY
      priority: 1
      type: string
    - jsonPath: .status.rulecount.validate
      name: VALIDATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.mutate
      name: MUTATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.generate
      name: GENERATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.verifyimages
      name: VERIFY IMAGES
      priority: 1
      type: integer
    - jsonPath: .status.conditions[?(@.type == "Ready")].message
      name: MESSAGE
      type: string
    name: v2beta1
    schema:
      openAPIV3Schema:
        description: ClusterPolicy declares validation, mutation, and generation behaviors
          for matching resources.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: Spec declares policy behaviors.
            properties:
              admission:
                default: true
                description: |-
                  Admission controls if rules are applied during admission.
                  Optional. Default value is "true".
                type: boolean
              applyRules:
                description: |-
                  ApplyRules controls how rules in a policy are applied. Rule are processed in
                  the order of declaration. When set to `One` processing stops after a rule has
                  been applied i.e. the rule matches and results in a pass, fail, or error. When
                  set to `All` all rules in the policy are processed. The default is `All`.
                enum:
                - All
                - One
                type: string
              background:
                default: true
                description: |-
                  Background controls if rules are applied to existing resources during a background scan.
                  Optional. Default value is "true". The value must be set to "false" if the policy rule
                  uses variables that are only available in the admission review request (e.g. user name).
                type: boolean
              failurePolicy:
                description: Deprecated, use failurePolicy under the webhookConfiguration
                  instead.
                enum:
                - Ignore
                - Fail
                type: string
              generateExisting:
                description: Deprecated, use generateExisting under the generate rule
                  instead
                type: boolean
              generateExistingOnPolicyUpdate:
                description: Deprecated, use generateExisting instead
                type: boolean
              mutateExistingOnPolicyUpdate:
                description: Deprecated, use mutateExistingOnPolicyUpdate under the
                  mutate rule instead
                type: boolean
              rules:
                description: |-
                  Rules is a list of Rule instances. A Policy contains multiple rules and
                  each rule can validate, mutate, or generate resources.
                items:
                  description: |-
                    Rule defines a validation, mutation, or generation control for matching resources.
                    Each rules contains a match declaration to select resources, and an optional exclude
                    declaration to specify which resources to exclude.
                  properties:
                    celPreconditions:
                      description: |-
                        CELPreconditions are used to determine if a policy rule should be applied by evaluating a
                        set of CEL conditions. It can only be used with the validate.cel subrule
                      items:
                        description: MatchCondition represents a condition which must
                          by fulfilled for a request to be sent to a webhook.
                        properties:
                          expression:
                            description: |-
                              Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
                              CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:


                              'object' - The object from the incoming request. The value is null for DELETE requests.
                              'oldObject' - The existing object. The value is null for CREATE requests.
                              'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
                              'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
                                See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                              'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
                                request resource.
                              Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/


                              Required.
                            type: string
                          name:
                            description: |-
                              Name is an identifier for this match condition, used for strategic merging of MatchConditions,
                              as well as providing an identifier for logging purposes. A good name should be descriptive of
                              the associated expression.
                              Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
                              must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
                              '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
                              optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')


                              Required.
                            type: string
                        required:
                        - expression
                        - name
                        type: object
                      type: array
                    context:
                      description: Context defines variables and data sources that
                        can be used during rule execution.
                      items:
                        description: |-
                          ContextEntry adds variables and data sources to a rule Context. Either a
                          ConfigMap reference or a APILookup must be provided.
                        properties:
                          apiCall:
                            description: |-
                              APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                              The data returned is stored in the context with the name for the context entry.
                            properties:
                              data:
                                description: |-
                                  The data object specifies the POST data sent to the server.
                                  Only applicable when the method field is set to POST.
                                items:
                                  description: RequestData contains the HTTP POST
                                    data
                                  properties:
                                    key:
                                      description: Key is a unique identifier for
                                        the data value
                                      type: string
                                    value:
                                      description: Value is the data value
                                      x-kubernetes-preserve-unknown-fields: true
                                  required:
                                  - key
                                  - value
                                  type: object
                                type: array
                              jmesPath:
                                description: |-
                                  JMESPath is an optional JSON Match Expression that can be used to
                                  transform the JSON response returned from the server. For example
                                  a JMESPath of "items | length(@)" applied to the API server response
                                  for the URLPath "/apis/apps/v1/deployments" will return the total count
                                  of deployments across all namespaces.
                                type: string
                              method:
                                default: GET
                                description: Method is the HTTP request type (GET
                                  or POST). Defaults to GET.
                                enum:
                                - GET
                                - POST
                                type: string
                              service:
                                description: |-
                                  Service is an API call to a JSON web service.
                                  This is used for non-Kubernetes API server calls.
                                  It's mutually exclusive with the URLPath field.
                                properties:
                                  caBundle:
                                    description: |-
                                      CABundle is a PEM encoded CA bundle which will be used to validate
                                      the server certificate.
                                    type: string
                                  url:
                                    description: |-
                                      URL is the JSON web service URL. A typical form is
                                      `https://{service}.{namespace}:{port}/{path}`.
                                    type: string
                                required:
                                - url
                                type: object
                              urlPath:
                                description: |-
                                  URLPath is the URL path to be used in the HTTP GET or POST request to the
                                  Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                  The format required is the same format used by the `kubectl get --raw` command.
                                  See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                  for details.
                                  It's mutually exclusive with the Service field.
                                type: string
                            type: object
                          configMap:
                            description: ConfigMap is the ConfigMap reference.
                            properties:
                              name:
                                description: Name is the ConfigMap name.
                                type: string
                              namespace:
                                description: Namespace is the ConfigMap namespace.
                                type: string
                            required:
                            - name
                            type: object
                          globalReference:
                            description: GlobalContextEntryReference is a reference
                              to a cached global context entry.
                            properties:
                              jmesPath:
                                description: |-
                                  JMESPath is an optional JSON Match Expression that can be used to
                                  transform the JSON response returned from the server. For example
                                  a JMESPath of "items | length(@)" applied to the API server response
                                  for the URLPath "/apis/apps/v1/deployments" will return the total count
                                  of deployments across all namespaces.
                                type: string
                              name:
                                description: Name of the global context entry
                                type: string
                            type: object
                          imageRegistry:
                            description: |-
                              ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                              details.
                            properties:
                              imageRegistryCredentials:
                                description: ImageRegistryCredentials provides credentials
                                  that will be used for authentication with registry
                                properties:
                                  allowInsecureRegistry:
                                    description: AllowInsecureRegistry allows insecure
                                      access to a registry.
                                    type: boolean
                                  providers:
                                    description: |-
                                      Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                      It can be of one of these values: default,google,azure,amazon,github.
                                    items:
                                      description: ImageRegistryCredentialsProvidersType
                                        provides the list of credential providers
                                        required.
                                      enum:
                                      - default
                                      - amazon
                                      - azure
                                      - google
                                      - github
                                      type: string
                                    type: array
                                  secrets:
                                    description: |-
                                      Secrets specifies a list of secrets that are provided for credentials.
                                      Secrets must live in the Kyverno namespace.
                                    items:
                                      type: string
                                    type: array
                                type: object
                              jmesPath:
                                description: |-
                                  JMESPath is an optional JSON Match Expression that can be used to
                                  transform the ImageData struct returned as a result of processing
                                  the image reference.
                                type: string
                              reference:
                                description: |-
                                  Reference is image reference to a container image in the registry.
                                  Example: ghcr.io/kyverno/kyverno:latest
                                type: string
                            required:
                            - reference
                            type: object
                          name:
                            description: Name is the variable name.
                            type: string
                          variable:
                            description: Variable defines an arbitrary JMESPath context
                              variable that can be defined inline.
                            properties:
                              default:
                                description: |-
                                  Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                  expression evaluates to nil
                                x-kubernetes-preserve-unknown-fields: true
                              jmesPath:
                                description: |-
                                  JMESPath is an optional JMESPath Expression that can be used to
                                  transform the variable.
                                type: string
                              value:
                                description: Value is any arbitrary JSON object representable
                                  in YAML or JSON form.
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                        type: object
                      type: array
                    exclude:
                      description: |-
                        ExcludeResources defines when this policy rule should not be applied. The exclude
                        criteria can include resource information (e.g. kind, name, namespace, labels)
                        and admission review request information like the name or role.
                      properties:
                        all:
                          description: All allows specifying resources which will
                            be ANDed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: |-
                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                      and values support the wildcard characters "*" (matches zero or many characters) and
                                      "?" (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: |-
                                      Name is the name of the resource. The name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                      NOTE: "Name" is being deprecated in favor of "Names".
                                    type: string
                                  names:
                                    description: |-
                                      Names are the names of the resources. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: |-
                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                      and `?` (matches one character).Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                      does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: |-
                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: |-
                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                      characters `*` (matches zero or many characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: |-
                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                    or a value for non-objects such as user and group names.
                                  properties:
                                    apiGroup:
                                      description: |-
                                        APIGroup holds the API group of the referenced subject.
                                        Defaults to "" for ServiceAccount subjects.
                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                      type: string
                                    kind:
                                      description: |-
                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: |-
                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        any:
                          description: Any allows specifying resources which will
                            be ORed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: |-
                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                      and values support the wildcard characters "*" (matches zero or many characters) and
                                      "?" (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: |-
                                      Name is the name of the resource. The name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                      NOTE: "Name" is being deprecated in favor of "Names".
                                    type: string
                                  names:
                                    description: |-
                                      Names are the names of the resources. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: |-
                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                      and `?` (matches one character).Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                      does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: |-
                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: |-
                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                      characters `*` (matches zero or many characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: |-
                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                    or a value for non-objects such as user and group names.
                                  properties:
                                    apiGroup:
                                      description: |-
                                        APIGroup holds the API group of the referenced subject.
                                        Defaults to "" for ServiceAccount subjects.
                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                      type: string
                                    kind:
                                      description: |-
                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: |-
                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                      type: object
                    generate:
                      description: Generation is used to create new resources.
                      properties:
                        apiVersion:
                          description: APIVersion specifies resource apiVersion.
                          type: string
                        clone:
                          description: |-
                            Clone specifies the source resource used to populate each generated resource.
                            At most one of Data or Clone can be specified. If neither are provided, the generated
                            resource will be created with default data only.
                          properties:
                            name:
                              description: Name specifies name of the resource.
                              type: string
                            namespace:
                              description: Namespace specifies source resource namespace.
                              type: string
                          type: object
                        cloneList:
                          description: CloneList specifies the list of source resource
                            used to populate each generated resource.
                          properties:
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            namespace:
                              description: Namespace specifies source resource namespace.
                              type: string
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels`.
                                wildcard characters are not supported.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        data:
                          description: |-
                            Data provides the resource declaration used to populate each generated resource.
                            At most one of Data or Clone must be specified. If neither are provided, the generated
                            resource will be created with default data only.
                          x-kubernetes-preserve-unknown-fields: true
                        generateExisting:
                          description: |-
                            GenerateExisting controls whether to trigger the rule in existing resources
                            If is set to "true" the rule will be triggered and applied to existing matched resources.
                          type: boolean
                        kind:
                          description: Kind specifies resource kind.
                          type: string
                        name:
                          description: Name specifies the resource name.
                          type: string
                        namespace:
                          description: Namespace specifies resource namespace.
                          type: string
                        orphanDownstreamOnPolicyDelete:
                          description: |-
                            OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
                            them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
                            See https://kyverno.io/docs/writing-policies/generate/#data-examples.
                            Defaults to "false" if not specified.
                          type: boolean
                        synchronize:
                          description: |-
                            Synchronize controls if generated resources should be kept in-sync with their source resource.
                            If Synchronize is set to "true" changes to generated resources will be overwritten with resource
                            data from Data or the resource specified in the Clone declaration.
                            Optional. Defaults to "false" if not specified.
                          type: boolean
                        uid:
                          description: UID specifies the resource uid.
                          type: string
                      type: object
                    imageExtractors:
                      additionalProperties:
                        items:
                          properties:
                            jmesPath:
                              description: |-
                                JMESPath is an optional JMESPath expression to apply to the image value.
                                This is useful when the extracted image begins with a prefix like 'docker://'.
                                The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
                                Note - Image digest mutation may not be used when applying a JMESPAth to an image.
                              type: string
                            key:
                              description: |-
                                Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
                                Note - this field MUST be unique.
                              type: string
                            name:
                              description: |-
                                Name is the entry the image will be available under 'images.<name>' in the context.
                                If this field is not defined, image entries will appear under 'images.custom'.
                              type: string
                            path:
                              description: |-
                                Path is the path to the object containing the image field in a custom resource.
                                It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
                                Wildcard keys are expanded in case of arrays or objects.
                              type: string
                            value:
                              description: |-
                                Value is an optional name of the field within 'path' that points to the image URI.
                                This is useful when a custom 'key' is also defined.
                              type: string
                          required:
                          - path
                          type: object
                        type: array
                      description: |-
                        ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
                        This config is only valid for verifyImages rules.
                      type: object
                    match:
                      description: |-
                        MatchResources defines when this policy rule should be applied. The match
                        criteria can include resource information (e.g. kind, name, namespace, labels)
                        and admission review request information like the user name or role.
                        At least one kind is required.
                      properties:
                        all:
                          description: All allows specifying resources which will
                            be ANDed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: |-
                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                      and values support the wildcard characters "*" (matches zero or many characters) and
                                      "?" (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: |-
                                      Name is the name of the resource. The name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                      NOTE: "Name" is being deprecated in favor of "Names".
                                    type: string
                                  names:
                                    description: |-
                                      Names are the names of the resources. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: |-
                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                      and `?` (matches one character).Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                      does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: |-
                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: |-
                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                      characters `*` (matches zero or many characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: |-
                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                    or a value for non-objects such as user and group names.
                                  properties:
                                    apiGroup:
                                      description: |-
                                        APIGroup holds the API group of the referenced subject.
                                        Defaults to "" for ServiceAccount subjects.
                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                      type: string
                                    kind:
                                      description: |-
                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: |-
                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        any:
                          description: Any allows specifying resources which will
                            be ORed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: |-
                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                      and values support the wildcard characters "*" (matches zero or many characters) and
                                      "?" (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: |-
                                      Name is the name of the resource. The name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                      NOTE: "Name" is being deprecated in favor of "Names".
                                    type: string
                                  names:
                                    description: |-
                                      Names are the names of the resources. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: |-
                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                      and `?` (matches one character).Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                      does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: |-
                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: |-
                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                      characters `*` (matches zero or many characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: |-
                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                    or a value for non-objects such as user and group names.
                                  properties:
                                    apiGroup:
                                      description: |-
                                        APIGroup holds the API group of the referenced subject.
                                        Defaults to "" for ServiceAccount subjects.
                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                      type: string
                                    kind:
                                      description: |-
                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: |-
                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                      type: object
                    mutate:
                      description: Mutation is used to modify matching resources.
                      properties:
                        foreach:
                          description: ForEach applies mutation rules to a list of
                            sub-elements by creating a context for each entry in the
                            list and looping over it to apply the specified logic.
                          items:
                            description: ForEachMutation applies mutation rules to
                              a list of sub-elements by creating a context for each
                              entry in the list and looping over it to apply the specified
                              logic.
                            properties:
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: |-
                                    ContextEntry adds variables and data sources to a rule Context. Either a
                                    ConfigMap reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: |-
                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context with the name for the context entry.
                                      properties:
                                        data:
                                          description: |-
                                            The data object specifies the POST data sent to the server.
                                            Only applicable when the method field is set to POST.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST). Defaults to GET.
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: |-
                                            Service is an API call to a JSON web service.
                                            This is used for non-Kubernetes API server calls.
                                            It's mutually exclusive with the URLPath field.
                                          properties:
                                            caBundle:
                                              description: |-
                                                CABundle is a PEM encoded CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: |-
                                                URL is the JSON web service URL. A typical form is
                                                `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: |-
                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                            The format required is the same format used by the `kubectl get --raw` command.
                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                            It's mutually exclusive with the Service field.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    globalReference:
                                      description: GlobalContextEntryReference is
                                        a reference to a cached global context entry.
                                      properties:
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        name:
                                          description: Name of the global context
                                            entry
                                          type: string
                                      type: object
                                    imageRegistry:
                                      description: |-
                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry.
                                              type: boolean
                                            providers:
                                              description: |-
                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                It can be of one of these values: default,google,azure,amazon,github.
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: |-
                                                Secrets specifies a list of secrets that are provided for credentials.
                                                Secrets must live in the Kyverno namespace.
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the ImageData struct returned as a result of processing
                                            the image reference.
                                          type: string
                                        reference:
                                          description: |-
                                            Reference is image reference to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: |-
                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                            expression evaluates to nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JMESPath Expression that can be used to
                                            transform the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              foreach:
                                description: Foreach declares a nested foreach iterator
                                x-kubernetes-preserve-unknown-fields: true
                              list:
                                description: |-
                                  List specifies a JMESPath expression that results in one or more elements
                                  to which the validation logic is applied.
                                type: string
                              order:
                                description: |-
                                  Order defines the iteration order on the list.
                                  Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
                                enum:
                                - Ascending
                                - Descending
                                type: string
                              patchStrategicMerge:
                                description: |-
                                  PatchStrategicMerge is a strategic merge patch used to modify resources.
                                  See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                  and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                                x-kubernetes-preserve-unknown-fields: true
                              patchesJson6902:
                                description: |-
                                  PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
                                  See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                                type: string
                              preconditions:
                                description: |-
                                  AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
                                  set of conditions. The declaration can contain nested `any` or `all` statements.
                                  See: https://kyverno.io/docs/writing-policies/preconditions/
                                properties:
                                  all:
                                    description: |-
                                      AllConditions enable variable-based conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A condition can reference object data
                                      using JMESPath notation.
                                      Here, all of the conditions need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: |-
                                            Operator is the conditional operation to perform. Valid operators are:
                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: |-
                                            Value is the conditional value, or set of values. The values can be fixed set
                                            or can be variables declared using JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                  any:
                                    description: |-
                                      AnyConditions enable variable-based conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A condition can reference object data
                                      using JMESPath notation.
                                      Here, at least one of the conditions need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: |-
                                            Operator is the conditional operation to perform. Valid operators are:
                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: |-
                                            Value is the conditional value, or set of values. The values can be fixed set
                                            or can be variables declared using JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                type: object
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                        mutateExistingOnPolicyUpdate:
                          description: MutateExistingOnPolicyUpdate controls if the
                            mutateExisting rule will be applied on policy events.
                          type: boolean
                        patchStrategicMerge:
                          description: |-
                            PatchStrategicMerge is a strategic merge patch used to modify resources.
                            See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                          x-kubernetes-preserve-unknown-fields: true
                        patchesJson6902:
                          description: |-
                            PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
                            See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                          type: string
                        targets:
                          description: Targets defines the target resources to be
                            mutated.
                          items:
                            description: TargetResourceSpec defines targets for mutating
                              existing resources.
                            properties:
                              apiVersion:
                                description: APIVersion specifies resource apiVersion.
                                type: string
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: |-
                                    ContextEntry adds variables and data sources to a rule Context. Either a
                                    ConfigMap reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: |-
                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context with the name for the context entry.
                                      properties:
                                        data:
                                          description: |-
                                            The data object specifies the POST data sent to the server.
                                            Only applicable when the method field is set to POST.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST). Defaults to GET.
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: |-
                                            Service is an API call to a JSON web service.
                                            This is used for non-Kubernetes API server calls.
                                            It's mutually exclusive with the URLPath field.
                                          properties:
                                            caBundle:
                                              description: |-
                                                CABundle is a PEM encoded CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: |-
                                                URL is the JSON web service URL. A typical form is
                                                `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: |-
                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                            The format required is the same format used by the `kubectl get --raw` command.
                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                            It's mutually exclusive with the Service field.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    globalReference:
                                      description: GlobalContextEntryReference is
                                        a reference to a cached global context entry.
                                      properties:
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        name:
                                          description: Name of the global context
                                            entry
                                          type: string
                                      type: object
                                    imageRegistry:
                                      description: |-
                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry.
                                              type: boolean
                                            providers:
                                              description: |-
                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                It can be of one of these values: default,google,azure,amazon,github.
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: |-
                                                Secrets specifies a list of secrets that are provided for credentials.
                                                Secrets must live in the Kyverno namespace.
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the ImageData struct returned as a result of processing
                                            the image reference.
                                          type: string
                                        reference:
                                          description: |-
                                            Reference is image reference to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: |-
                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                            expression evaluates to nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JMESPath Expression that can be used to
                                            transform the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              kind:
                                description: Kind specifies resource kind.
                                type: string
                              name:
                                description: Name specifies the resource name.
                                type: string
                              namespace:
                                description: Namespace specifies resource namespace.
                                type: string
                              preconditions:
                                description: |-
                                  Preconditions are used to determine if a policy rule should be applied by evaluating a
                                  set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
                                  of conditions (without `any` or `all` statements is supported for backwards compatibility but
                                  will be deprecated in the next major release.
                                  See: https://kyverno.io/docs/writing-policies/preconditions/
                                x-kubernetes-preserve-unknown-fields: true
                              uid:
                                description: UID specifies the resource uid.
                                type: string
                            type: object
                          type: array
                      type: object
                    name:
                      description: Name is a label to identify the rule, It must be
                        unique within the policy.
                      maxLength: 63
                      type: string
                    preconditions:
                      description: |-
                        Preconditions are used to determine if a policy rule should be applied by evaluating a
                        set of conditions. The declaration can contain nested `any` or `all` statements.
                        See: https://kyverno.io/docs/writing-policies/preconditions/
                      properties:
                        all:
                          description: |-
                            AllConditions enable variable-based conditional rule execution. This is useful for
                            finer control of when an rule is applied. A condition can reference object data
                            using JMESPath notation.
                            Here, all of the conditions need to pass.
                          items:
                            properties:
                              key:
                                description: Key is the context entry (using JMESPath)
                                  for conditional rule evaluation.
                                x-kubernetes-preserve-unknown-fields: true
                              message:
                                description: Message is an optional display message
                                type: string
                              operator:
                                description: |-
                                  Operator is the conditional operation to perform. Valid operators are:
                                  Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                  GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                  DurationLessThanOrEquals, DurationLessThan
                                enum:
                                - Equals
                                - NotEquals
                                - AnyIn
                                - AllIn
                                - AnyNotIn
                                - AllNotIn
                                - GreaterThanOrEquals
                                - GreaterThan
                                - LessThanOrEquals
                                - LessThan
                                - DurationGreaterThanOrEquals
                                - DurationGreaterThan
                                - DurationLessThanOrEquals
                                - DurationLessThan
                                type: string
                              value:
                                description: |-
                                  Value is the conditional value, or set of values. The values can be fixed set
                                  or can be variables declared using JMESPath.
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                        any:
                          description: |-
                            AnyConditions enable variable-based conditional rule execution. This is useful for
                            finer control of when an rule is applied. A condition can reference object data
                            using JMESPath notation.
                            Here, at least one of the conditions need to pass.
                          items:
                            properties:
                              key:
                                description: Key is the context entry (using JMESPath)
                                  for conditional rule evaluation.
                                x-kubernetes-preserve-unknown-fields: true
                              message:
                                description: Message is an optional display message
                                type: string
                              operator:
                                description: |-
                                  Operator is the conditional operation to perform. Valid operators are:
                                  Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                  GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                  DurationLessThanOrEquals, DurationLessThan
                                enum:
                                - Equals
                                - NotEquals
                                - AnyIn
                                - AllIn
                                - AnyNotIn
                                - AllNotIn
                                - GreaterThanOrEquals
                                - GreaterThan
                                - LessThanOrEquals
                                - LessThan
                                - DurationGreaterThanOrEquals
                                - DurationGreaterThan
                                - DurationLessThanOrEquals
                                - DurationLessThan
                                type: string
                              value:
                                description: |-
                                  Value is the conditional value, or set of values. The values can be fixed set
                                  or can be variables declared using JMESPath.
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                      type: object
                    skipBackgroundRequests:
                      default: true
                      description: |-
                        SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
                        The default value is set to "true", it must be set to "false" to apply
                        generate and mutateExisting rules to those requests.
                      type: boolean
                    validate:
                      description: Validation is used to validate matching resources.
                      properties:
                        anyPattern:
                          description: |-
                            AnyPattern specifies list of validation patterns. At least one of the patterns
                            must be satisfied for the validation rule to succeed.
                          x-kubernetes-preserve-unknown-fields: true
                        cel:
                          description: CEL allows validation checks using the Common
                            Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
                          properties:
                            auditAnnotations:
                              description: AuditAnnotations contains CEL expressions
                                which are used to produce audit annotations for the
                                audit event of the API request.
                              items:
                                description: AuditAnnotation describes how to produce
                                  an audit annotation for an API request.
                                properties:
                                  key:
                                    description: |-
                                      key specifies the audit annotation key. The audit annotation keys of
                                      a ValidatingAdmissionPolicy must be unique. The key must be a qualified
                                      name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.


                                      The key is combined with the resource name of the
                                      ValidatingAdmissionPolicy to construct an audit annotation key:
                                      "{ValidatingAdmissionPolicy name}/{key}".


                                      If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
                                      and the same audit annotation key, the annotation key will be identical.
                                      In this case, the first annotation written with the key will be included
                                      in the audit event and all subsequent annotations with the same key
                                      will be discarded.


                                      Required.
                                    type: string
                                  valueExpression:
                                    description: |-
                                      valueExpression represents the expression which is evaluated by CEL to
                                      produce an audit annotation value. The expression must evaluate to either
                                      a string or null value. If the expression evaluates to a string, the
                                      audit annotation is included with the string value. If the expression
                                      evaluates to null or empty string the audit annotation will be omitted.
                                      The valueExpression may be no longer than 5kb in length.
                                      If the result of the valueExpression is more than 10kb in length, it
                                      will be truncated to 10kb.


                                      If multiple ValidatingAdmissionPolicyBinding resources match an
                                      API request, then the valueExpression will be evaluated for
                                      each binding. All unique values produced by the valueExpressions
                                      will be joined together in a comma-separated list.


                                      Required.
                                    type: string
                                required:
                                - key
                                - valueExpression
                                type: object
                              type: array
                            expressions:
                              description: Expressions is a list of CELExpression
                                types.
                              items:
                                description: Validation specifies the CEL expression
                                  which is used to apply the validation.
                                properties:
                                  expression:
                                    description: "Expression represents the expression
                                      which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
                                      expressions have access to the contents of the
                                      API request/response, organized into CEL variables
                                      as well as some other useful variables:\n\n\n-
                                      'object' - The object from the incoming request.
                                      The value is null for DELETE requests.\n- 'oldObject'
                                      - The existing object. The value is null for
                                      CREATE requests.\n- 'request' - Attributes of
                                      the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
                                      'params' - Parameter resource referred to by
                                      the policy binding being evaluated. Only populated
                                      if the policy has a ParamKind.\n- 'namespaceObject'
                                      - The namespace object that the incoming object
                                      belongs to. The value is null for cluster-scoped
                                      resources.\n- 'variables' - Map of composited
                                      variables, from its name to its lazily evaluated
                                      value.\n  For example, a variable named 'foo'
                                      can be accessed as 'variables.foo'.\n- 'authorizer'
                                      - A CEL Authorizer. May be used to perform authorization
                                      checks for the principal (user or service account)
                                      of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
                                      'authorizer.requestResource' - A CEL ResourceCheck
                                      constructed from the 'authorizer' and configured
                                      with the\n  request resource.\n\n\nThe `apiVersion`,
                                      `kind`, `metadata.name` and `metadata.generateName`
                                      are always accessible from the root of the\nobject.
                                      No other metadata properties are accessible.\n\n\nOnly
                                      property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
                                      are accessible.\nAccessible property names are
                                      escaped according to the following rules when
                                      accessed in the expression:\n- '__' escapes
                                      to '__underscores__'\n- '.' escapes to '__dot__'\n-
                                      '-' escapes to '__dash__'\n- '/' escapes to
                                      '__slash__'\n- Property names that exactly match
                                      a CEL RESERVED keyword escape to '__{keyword}__'.
                                      The keywords are:\n\t  \"true\", \"false\",
                                      \"null\", \"in\", \"as\", \"break\", \"const\",
                                      \"continue\", \"else\", \"for\", \"function\",
                                      \"if\",\n\t  \"import\", \"let\", \"loop\",
                                      \"package\", \"namespace\", \"return\".\nExamples:\n
                                      \ - Expression accessing a property named \"namespace\":
                                      {\"Expression\": \"object.__namespace__ > 0\"}\n
                                      \ - Expression accessing a property named \"x-prop\":
                                      {\"Expression\": \"object.x__dash__prop > 0\"}\n
                                      \ - Expression accessing a property named \"redact__d\":
                                      {\"Expression\": \"object.redact__underscores__d
                                      > 0\"}\n\n\nEquality on arrays with list type
                                      of 'set' or 'map' ignores element order, i.e.
                                      [1, 2] == [2, 1].\nConcatenation on arrays with
                                      x-kubernetes-list-type use the semantics of
                                      the list type:\n  - 'set': `X + Y` performs
                                      a union where the array positions of all elements
                                      in `X` are preserved and\n    non-intersecting
                                      elements in `Y` are appended, retaining their
                                      partial order.\n  - 'map': `X + Y` performs
                                      a merge where the array positions of all keys
                                      in `X` are preserved but the values\n    are
                                      overwritten by values in `Y` when the key sets
                                      of `X` and `Y` intersect. Elements in `Y` with\n
                                      \   non-intersecting keys are appended, retaining
                                      their partial order.\nRequired."
                                    type: string
                                  message:
                                    description: |-
                                      Message represents the message displayed when validation fails. The message is required if the Expression contains
                                      line breaks. The message must not contain line breaks.
                                      If unset, the message is "failed rule: {Rule}".
                                      e.g. "must be a URL with the host matching spec.host"
                                      If the Expression contains line breaks. Message is required.
                                      The message must not contain line breaks.
                                      If unset, the message is "failed Expression: {Expression}".
                                    type: string
                                  messageExpression:
                                    description: |-
                                      messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
                                      Since messageExpression is used as a failure message, it must evaluate to a string.
                                      If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
                                      If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
                                      as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
                                      that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
                                      the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
                                      messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
                                      Example:
                                      "object.x must be less than max ("+string(params.max)+")"
                                    type: string
                                  reason:
                                    description: |-
                                      Reason represents a machine-readable description of why this validation failed.
                                      If this is the first validation in the list to fail, this reason, as well as the
                                      corresponding HTTP response code, are used in the
                                      HTTP response to the client.
                                      The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
                                      If not set, StatusReasonInvalid is used in the response to the client.
                                    type: string
                                required:
                                - expression
                                type: object
                              type: array
                            paramKind:
                              description: ParamKind is a tuple of Group Kind and
                                Version.
                              properties:
                                apiVersion:
                                  description: |-
                                    APIVersion is the API group version the resources belong to.
                                    In format of "group/version".
                                    Required.
                                  type: string
                                kind:
                                  description: |-
                                    Kind is the API kind the resources belong to.
                                    Required.
                                  type: string
                              type: object
                              x-kubernetes-map-type: atomic
                            paramRef:
                              description: ParamRef references a parameter resource.
                              properties:
                                name:
                                  description: |-
                                    `name` is the name of the resource being referenced.


                                    `name` and `selector` are mutually exclusive properties. If one is set,
                                    the other must be unset.
                                  type: string
                                namespace:
                                  description: |-
                                    namespace is the namespace of the referenced resource. Allows limiting
                                    the search for params to a specific namespace. Applies to both `name` and
                                    `selector` fields.


                                    A per-namespace parameter may be used by specifying a namespace-scoped
                                    `paramKind` in the policy and leaving this field empty.


                                    - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
                                    field results in a configuration error.


                                    - If `paramKind` is namespace-scoped, the namespace of the object being
                                    evaluated for admission will be used when this field is left unset. Take
                                    care that if this is left empty the binding must not match any cluster-scoped
                                    resources, which will result in an error.
                                  type: string
                                parameterNotFoundAction:
                                  description: |-
                                    `parameterNotFoundAction` controls the behavior of the binding when the resource
                                    exists, and name or selector is valid, but there are no parameters
                                    matched by the binding. If the value is set to `Allow`, then no
                                    matched parameters will be treated as successful validation by the binding.
                                    If set to `Deny`, then no matched parameters will be subject to the
                                    `failurePolicy` of the policy.


                                    Allowed values are `Allow` or `Deny`
                                    Default to `Deny`
                                  type: string
                                selector:
                                  description: |-
                                    selector can be used to match multiple param objects based on their labels.
                                    Supply selector: {} to match all resources of the ParamKind.


                                    If multiple params are found, they are all evaluated with the policy expressions
                                    and the results are ANDed together.


                                    One of `name` or `selector` must be set, but `name` and `selector` are
                                    mutually exclusive properties. If one is set, the other must be unset.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                              x-kubernetes-map-type: atomic
                            variables:
                              description: |-
                                Variables contain definitions of variables that can be used in composition of other expressions.
                                Each variable is defined as a named CEL expression.
                                The variables defined here will be available under `variables` in other expressions of the policy.
                              items:
                                description: Variable is the definition of a variable
                                  that is used for composition.
                                properties:
                                  expression:
                                    description: |-
                                      Expression is the expression that will be evaluated as the value of the variable.
                                      The CEL expression has access to the same identifiers as the CEL expressions in Validation.
                                    type: string
                                  name:
                                    description: |-
                                      Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
                                      The variable can be accessed in other expressions through `variables`
                                      For example, if name is "foo", the variable will be available as `variables.foo`
                                    type: string
                                required:
                                - expression
                                - name
                                type: object
                              type: array
                          type: object
                        deny:
                          description: Deny defines conditions used to pass or fail
                            a validation rule.
                          properties:
                            conditions:
                              description: |-
                                Multiple conditions can be declared under an `any` or `all` statement.
                                See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
                              properties:
                                all:
                                  description: |-
                                    AllConditions enable variable-based conditional rule execution. This is useful for
                                    finer control of when an rule is applied. A condition can reference object data
                                    using JMESPath notation.
                                    Here, all of the conditions need to pass.
                                  items:
                                    properties:
                                      key:
                                        description: Key is the context entry (using
                                          JMESPath) for conditional rule evaluation.
                                        x-kubernetes-preserve-unknown-fields: true
                                      message:
                                        description: Message is an optional display
                                          message
                                        type: string
                                      operator:
                                        description: |-
                                          Operator is the conditional operation to perform. Valid operators are:
                                          Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                          GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                          DurationLessThanOrEquals, DurationLessThan
                                        enum:
                                        - Equals
                                        - NotEquals
                                        - AnyIn
                                        - AllIn
                                        - AnyNotIn
                                        - AllNotIn
                                        - GreaterThanOrEquals
                                        - GreaterThan
                                        - LessThanOrEquals
                                        - LessThan
                                        - DurationGreaterThanOrEquals
                                        - DurationGreaterThan
                                        - DurationLessThanOrEquals
                                        - DurationLessThan
                                        type: string
                                      value:
                                        description: |-
                                          Value is the conditional value, or set of values. The values can be fixed set
                                          or can be variables declared using JMESPath.
                                        x-kubernetes-preserve-unknown-fields: true
                                    type: object
                                  type: array
                                any:
                                  description: |-
                                    AnyConditions enable variable-based conditional rule execution. This is useful for
                                    finer control of when an rule is applied. A condition can reference object data
                                    using JMESPath notation.
                                    Here, at least one of the conditions need to pass.
                                  items:
                                    properties:
                                      key:
                                        description: Key is the context entry (using
                                          JMESPath) for conditional rule evaluation.
                                        x-kubernetes-preserve-unknown-fields: true
                                      message:
                                        description: Message is an optional display
                                          message
                                        type: string
                                      operator:
                                        description: |-
                                          Operator is the conditional operation to perform. Valid operators are:
                                          Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                          GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                          DurationLessThanOrEquals, DurationLessThan
                                        enum:
                                        - Equals
                                        - NotEquals
                                        - AnyIn
                                        - AllIn
                                        - AnyNotIn
                                        - AllNotIn
                                        - GreaterThanOrEquals
                                        - GreaterThan
                                        - LessThanOrEquals
                                        - LessThan
                                        - DurationGreaterThanOrEquals
                                        - DurationGreaterThan
                                        - DurationLessThanOrEquals
                                        - DurationLessThan
                                        type: string
                                      value:
                                        description: |-
                                          Value is the conditional value, or set of values. The values can be fixed set
                                          or can be variables declared using JMESPath.
                                        x-kubernetes-preserve-unknown-fields: true
                                    type: object
                                  type: array
                              type: object
                          type: object
                        foreach:
                          description: ForEach applies validate rules to a list of
                            sub-elements by creating a context for each entry in the
                            list and looping over it to apply the specified logic.
                          items:
                            description: ForEachValidation applies validate rules
                              to a list of sub-elements by creating a context for
                              each entry in the list and looping over it to apply
                              the specified logic.
                            properties:
                              anyPattern:
                                description: |-
                                  AnyPattern specifies list of validation patterns. At least one of the patterns
                                  must be satisfied for the validation rule to succeed.
                                x-kubernetes-preserve-unknown-fields: true
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: |-
                                    ContextEntry adds variables and data sources to a rule Context. Either a
                                    ConfigMap reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: |-
                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context with the name for the context entry.
                                      properties:
                                        data:
                                          description: |-
                                            The data object specifies the POST data sent to the server.
                                            Only applicable when the method field is set to POST.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST). Defaults to GET.
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: |-
                                            Service is an API call to a JSON web service.
                                            This is used for non-Kubernetes API server calls.
                                            It's mutually exclusive with the URLPath field.
                                          properties:
                                            caBundle:
                                              description: |-
                                                CABundle is a PEM encoded CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: |-
                                                URL is the JSON web service URL. A typical form is
                                                `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: |-
                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                            The format required is the same format used by the `kubectl get --raw` command.
                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                            It's mutually exclusive with the Service field.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    globalReference:
                                      description: GlobalContextEntryReference is
                                        a reference to a cached global context entry.
                                      properties:
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        name:
                                          description: Name of the global context
                                            entry
                                          type: string
                                      type: object
                                    imageRegistry:
                                      description: |-
                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry.
                                              type: boolean
                                            providers:
                                              description: |-
                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                It can be of one of these values: default,google,azure,amazon,github.
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: |-
                                                Secrets specifies a list of secrets that are provided for credentials.
                                                Secrets must live in the Kyverno namespace.
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the ImageData struct returned as a result of processing
                                            the image reference.
                                          type: string
                                        reference:
                                          description: |-
                                            Reference is image reference to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: |-
                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                            expression evaluates to nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JMESPath Expression that can be used to
                                            transform the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              deny:
                                description: Deny defines conditions used to pass
                                  or fail a validation rule.
                                properties:
                                  conditions:
                                    description: |-
                                      Multiple conditions can be declared under an `any` or `all` statement. A direct list
                                      of conditions (without `any` or `all` statements) is also supported for backwards compatibility
                                      but will be deprecated in the next major release.
                                      See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              elementScope:
                                description: |-
                                  ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
                                  When set to "false", "request.object" is used as the validation scope within the foreach
                                  block to allow referencing other elements in the subtree.
                                type: boolean
                              foreach:
                                description: Foreach declares a nested foreach iterator
                                x-kubernetes-preserve-unknown-fields: true
                              list:
                                description: |-
                                  List specifies a JMESPath expression that results in one or more elements
                                  to which the validation logic is applied.
                                type: string
                              pattern:
                                description: Pattern specifies an overlay-style pattern
                                  used to check resources.
                                x-kubernetes-preserve-unknown-fields: true
                              preconditions:
                                description: |-
                                  AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
                                  set of conditions. The declaration can contain nested `any` or `all` statements.
                                  See: https://kyverno.io/docs/writing-policies/preconditions/
                                properties:
                                  all:
                                    description: |-
                                      AllConditions enable variable-based conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A condition can reference object data
                                      using JMESPath notation.
                                      Here, all of the conditions need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: |-
                                            Operator is the conditional operation to perform. Valid operators are:
                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: |-
                                            Value is the conditional value, or set of values. The values can be fixed set
                                            or can be variables declared using JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                  any:
                                    description: |-
                                      AnyConditions enable variable-based conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A condition can reference object data
                                      using JMESPath notation.
                                      Here, at least one of the conditions need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: |-
                                            Operator is the conditional operation to perform. Valid operators are:
                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: |-
                                            Value is the conditional value, or set of values. The values can be fixed set
                                            or can be variables declared using JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                type: object
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                        manifests:
                          description: Manifest specifies conditions for manifest
                            verification
                          properties:
                            annotationDomain:
                              description: AnnotationDomain is custom domain of annotation
                                for message and signature. Default is "cosign.sigstore.dev".
                              type: string
                            attestors:
                              description: Attestors specified the required attestors
                                (i.e. authorities)
                              items:
                                properties:
                                  count:
                                    description: |-
                                      Count specifies the required number of entries that must match. If the count is null, all entries must match
                                      (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                      value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                    minimum: 1
                                    type: integer
                                  entries:
                                    description: |-
                                      Entries contains the available attestors. An attestor can be a static key,
                                      attributes for keyless verification, or a nested attestor declaration.
                                    items:
                                      properties:
                                        annotations:
                                          additionalProperties:
                                            type: string
                                          description: |-
                                            Annotations are used for image verification.
                                            Every specified key-value pair must exist and match in the verified payload.
                                            The payload may contain other key-value pairs.
                                          type: object
                                        attestor:
                                          description: Attestor is a nested set of
                                            Attestor used to specify a more complex
                                            set of match authorities.
                                          x-kubernetes-preserve-unknown-fields: true
                                        certificates:
                                          description: Certificates specifies one
                                            or more certificates.
                                          properties:
                                            cert:
                                              description: Cert is an optional PEM-encoded
                                                public certificate.
                                              type: string
                                            certChain:
                                              description: CertChain is an optional
                                                PEM encoded set of certificates used
                                                to verify.
                                              type: string
                                            ctlog:
                                              description: |-
                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                              properties:
                                                ignoreSCT:
                                                  description: |-
                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                    timestamp. Default is false. Set to true if this was opted out during signing.
                                                  type: boolean
                                                pubkey:
                                                  description: PubKey, if set, is
                                                    used to validate SCTs against
                                                    a custom source.
                                                  type: string
                                                tsaCertChain:
                                                  description: |-
                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                    may contain the leaf TSA certificate if not present in the timestamurce.
                                                  type: string
                                              type: object
                                            rekor:
                                              description: |-
                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                              properties:
                                                ignoreTlog:
                                                  description: IgnoreTlog skips transparency
                                                    log verification.
                                                  type: boolean
                                                pubkey:
                                                  description: |-
                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public Rekor log instance
                                                    https://rekor.sigstore.dev.
                                                  type: string
                                              type: object
                                          type: object
                                        keyless:
                                          description: |-
                                            Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                            See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                          properties:
                                            additionalExtensions:
                                              additionalProperties:
                                                type: string
                                              description: AdditionalExtensions are
                                                certificate-extensions used for keyless
                                                signing.
                                              type: object
                                            ctlog:
                                              description: |-
                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                              properties:
                                                ignoreSCT:
                                                  description: |-
                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                    timestamp. Default is false. Set to true if this was opted out during signing.
                                                  type: boolean
                                                pubkey:
                                                  description: PubKey, if set, is
                                                    used to validate SCTs against
                                                    a custom source.
                                                  type: string
                                                tsaCertChain:
                                                  description: |-
                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                    may contain the leaf TSA certificate if not present in the timestamurce.
                                                  type: string
                                              type: object
                                            issuer:
                                              description: Issuer is the certificate
                                                issuer used for keyless signing.
                                              type: string
                                            rekor:
                                              description: |-
                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                              properties:
                                                ignoreTlog:
                                                  description: IgnoreTlog skips transparency
                                                    log verification.
                                                  type: boolean
                                                pubkey:
                                                  description: |-
                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public Rekor log instance
                                                    https://rekor.sigstore.dev.
                                                  type: string
                                              type: object
                                            roots:
                                              description: |-
                                                Roots is an optional set of PEM encoded trusted root certificates.
                                                If not provided, the system roots are used.
                                              type: string
                                            subject:
                                              description: Subject is the verified
                                                identity used for keyless signing,
                                                for example the email address.
                                              type: string
                                          type: object
                                        keys:
                                          description: Keys specifies one or more
                                            public keys.
                                          properties:
                                            ctlog:
                                              description: |-
                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                              properties:
                                                ignoreSCT:
                                                  description: |-
                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                    timestamp. Default is false. Set to true if this was opted out during signing.
                                                  type: boolean
                                                pubkey:
                                                  description: PubKey, if set, is
                                                    used to validate SCTs against
                                                    a custom source.
                                                  type: string
                                                tsaCertChain:
                                                  description: |-
                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                    may contain the leaf TSA certificate if not present in the timestamurce.
                                                  type: string
                                              type: object
                                            kms:
                                              description: |-
                                                KMS provides the URI to the public key stored in a Key Management System. See:
                                                https://github.com/sigstore/cosign/blob/main/KMS.md
                                              type: string
                                            publicKeys:
                                              description: |-
                                                Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                                specified or can be a variable reference to a key specified in a ConfigMap (see
                                                https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                                elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                The named Secret must specify a key `cosign.pub` containing the public key used for
                                                verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                When multiple keys are specified each key is processed as a separate staticKey entry
                                                (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                              type: string
                                            rekor:
                                              description: |-
                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                              properties:
                                                ignoreTlog:
                                                  description: IgnoreTlog skips transparency
                                                    log verification.
                                                  type: boolean
                                                pubkey:
                                                  description: |-
                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public Rekor log instance
                                                    https://rekor.sigstore.dev.
                                                  type: string
                                              type: object
                                            secret:
                                              description: Reference to a Secret resource
                                                that contains a public key
                                              properties:
                                                name:
                                                  description: Name of the secret.
                                                    The provided secret must contain
                                                    a key named cosign.pub.
                                                  type: string
                                                namespace:
                                                  description: Namespace name where
                                                    the Secret exists.
                                                  type: string
                                              required:
                                              - name
                                              - namespace
                                              type: object
                                            signatureAlgorithm:
                                              default: sha256
                                              description: Specify signature algorithm
                                                for public keys. Supported values
                                                are sha224, sha256, sha384 and sha512.
                                              type: string
                                          type: object
                                        repository:
                                          description: |-
                                            Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                            If specified Repository will override other OCI image repository locations for this Attestor.
                                          type: string
                                      type: object
                                    type: array
                                type: object
                              type: array
                            dryRun:
                              description: DryRun configuration
                              properties:
                                enable:
                                  type: boolean
                                namespace:
                                  type: string
                              type: object
                            ignoreFields:
                              description: Fields which will be ignored while comparing
                                manifests.
                              items:
                                properties:
                                  fields:
                                    items:
                                      type: string
                                    type: array
                                  objects:
                                    items:
                                      properties:
                                        group:
                                          type: string
                                        kind:
                                          type: string
                                        name:
                                          type: string
                                        namespace:
                                          type: string
                                        version:
                                          type: string
                                      type: object
                                    type: array
                                type: object
                              type: array
                            repository:
                              description: |-
                                Repository is an optional alternate OCI repository to use for resource bundle reference.
                                The repository can be overridden per Attestor or Attestation.
                              type: string
                          type: object
                        message:
                          description: Message specifies a custom message to be displayed
                            on failure.
                          type: string
                        pattern:
                          description: Pattern specifies an overlay-style pattern
                            used to check resources.
                          x-kubernetes-preserve-unknown-fields: true
                        podSecurity:
                          description: |-
                            PodSecurity applies exemptions for Kubernetes Pod Security admission
                            by specifying exclusions for Pod Security Standards controls.
                          properties:
                            exclude:
                              description: Exclude specifies the Pod Security Standard
                                controls to be excluded.
                              items:
                                description: PodSecurityStandard specifies the Pod
                                  Security Standard controls to be excluded.
                                properties:
                                  controlName:
                                    description: |-
                                      ControlName specifies the name of the Pod Security Standard control.
                                      See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
                                    enum:
                                    - HostProcess
                                    - Host Namespaces
                                    - Privileged Containers
                                    - Capabilities
                                    - HostPath Volumes
                                    - Host Ports
                                    - AppArmor
                                    - SELinux
                                    - /proc Mount Type
                                    - Seccomp
                                    - Sysctls
                                    - Volume Types
                                    - Privilege Escalation
                                    - Running as Non-root
                                    - Running as Non-root user
                                    type: string
                                  images:
                                    description: |-
                                      Images selects matching containers and applies the container level PSS.
                                      Each image is the image name consisting of the registry address, repository, image, and tag.
                                      Empty list matches no containers, PSS checks are applied at the pod level only.
                                      Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                                    items:
                                      type: string
                                    type: array
                                  restrictedField:
                                    description: |-
                                      RestrictedField selects the field for the given Pod Security Standard control.
                                      When not set, all restricted fields for the control are selected.
                                    type: string
                                  values:
                                    description: Values defines the allowed values
                                      that can be excluded.
                                    items:
                                      type: string
                                    type: array
                                required:
                                - controlName
                                type: object
                              type: array
                            level:
                              description: |-
                                Level defines the Pod Security Standard level to be applied to workloads.
                                Allowed values are privileged, baseline, and restricted.
                              enum:
                              - privileged
                              - baseline
                              - restricted
                              type: string
                            version:
                              description: |-
                                Version defines the Pod Security Standard versions that Kubernetes supports.
                                Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
                              enum:
                              - v1.19
                              - v1.20
                              - v1.21
                              - v1.22
                              - v1.23
                              - v1.24
                              - v1.25
                              - v1.26
                              - v1.27
                              - v1.28
                              - v1.29
                              - latest
                              type: string
                          type: object
                        validationFailureAction:
                          description: |-
                            ValidationFailureAction defines if a validation policy rule violation should block
                            the admission review request (enforce), or allow (audit) the admission review request
                            and report an error in a policy report. Optional.
                            Allowed values are audit or enforce.
                          enum:
                          - audit
                          - enforce
                          - Audit
                          - Enforce
                          type: string
                        validationFailureActionOverrides:
                          description: |-
                            ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
                            namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
                          items:
                            properties:
                              action:
                                description: ValidationFailureAction defines the policy
                                  validation failure action
                                enum:
                                - audit
                                - enforce
                                - Audit
                                - Enforce
                                type: string
                              namespaceSelector:
                                description: |-
                                  A label selector is a label query over a set of resources. The result of matchLabels and
                                  matchExpressions are ANDed. An empty label selector matches all objects. A null
                                  label selector matches no objects.
                                properties:
                                  matchExpressions:
                                    description: matchExpressions is a list of label
                                      selector requirements. The requirements are
                                      ANDed.
                                    items:
                                      description: |-
                                        A label selector requirement is a selector that contains values, a key, and an operator that
                                        relates the key and values.
                                      properties:
                                        key:
                                          description: key is the label key that the
                                            selector applies to.
                                          type: string
                                        operator:
                                          description: |-
                                            operator represents a key's relationship to a set of values.
                                            Valid operators are In, NotIn, Exists and DoesNotExist.
                                          type: string
                                        values:
                                          description: |-
                                            values is an array of string values. If the operator is In or NotIn,
                                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                            the values array must be empty. This array is replaced during a strategic
                                            merge patch.
                                          items:
                                            type: string
                                          type: array
                                          x-kubernetes-list-type: atomic
                                      required:
                                      - key
                                      - operator
                                      type: object
                                    type: array
                                    x-kubernetes-list-type: atomic
                                  matchLabels:
                                    additionalProperties:
                                      type: string
                                    description: |-
                                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                      map is equivalent to an element of matchExpressions, whose key field is "key", the
                                      operator is "In", and the values array contains only "value". The requirements are ANDed.
                                    type: object
                                type: object
                                x-kubernetes-map-type: atomic
                              namespaces:
                                items:
                                  type: string
                                type: array
                            type: object
                          type: array
                      type: object
                    verifyImages:
                      description: VerifyImages is used to verify image signatures
                        and mutate them to add a digest
                      items:
                        description: |-
                          ImageVerification validates that images that match the specified pattern
                          are signed with the supplied public key. Once the image is verified it is
                          mutated to include the SHA digest retrieved during the registration.
                        properties:
                          attestations:
                            description: |-
                              Attestations are optional checks for signed in-toto Statements used to verify the image.
                              See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
                              OCI registry and decodes them into a list of Statement declarations.
                            items:
                              description: |-
                                Attestation are checks for signed in-toto Statements that are used to verify the image.
                                See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
                                OCI registry and decodes them into a list of Statements.
                              properties:
                                attestors:
                                  description: Attestors specify the required attestors
                                    (i.e. authorities).
                                  items:
                                    properties:
                                      count:
                                        description: |-
                                          Count specifies the required number of entries that must match. If the count is null, all entries must match
                                          (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                          value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                        minimum: 1
                                        type: integer
                                      entries:
                                        description: |-
                                          Entries contains the available attestors. An attestor can be a static key,
                                          attributes for keyless verification, or a nested attestor declaration.
                                        items:
                                          properties:
                                            annotations:
                                              additionalProperties:
                                                type: string
                                              description: |-
                                                Annotations are used for image verification.
                                                Every specified key-value pair must exist and match in the verified payload.
                                                The payload may contain other key-value pairs.
                                              type: object
                                            attestor:
                                              description: Attestor is a nested set
                                                of Attestor used to specify a more
                                                complex set of match authorities.
                                              x-kubernetes-preserve-unknown-fields: true
                                            certificates:
                                              description: Certificates specifies
                                                one or more certificates.
                                              properties:
                                                cert:
                                                  description: Cert is an optional
                                                    PEM-encoded public certificate.
                                                  type: string
                                                certChain:
                                                  description: CertChain is an optional
                                                    PEM encoded set of certificates
                                                    used to verify.
                                                  type: string
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                              type: object
                                            keyless:
                                              description: |-
                                                Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                                See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                              properties:
                                                additionalExtensions:
                                                  additionalProperties:
                                                    type: string
                                                  description: AdditionalExtensions
                                                    are certificate-extensions used
                                                    for keyless signing.
                                                  type: object
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                issuer:
                                                  description: Issuer is the certificate
                                                    issuer used for keyless signing.
                                                  type: string
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                                roots:
                                                  description: |-
                                                    Roots is an optional set of PEM encoded trusted root certificates.
                                                    If not provided, the system roots are used.
                                                  type: string
                                                subject:
                                                  description: Subject is the verified
                                                    identity used for keyless signing,
                                                    for example the email address.
                                                  type: string
                                              type: object
                                            keys:
                                              description: Keys specifies one or more
                                                public keys.
                                              properties:
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                kms:
                                                  description: |-
                                                    KMS provides the URI to the public key stored in a Key Management System. See:
                                                    https://github.com/sigstore/cosign/blob/main/KMS.md
                                                  type: string
                                                publicKeys:
                                                  description: |-
                                                    Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                                    specified or can be a variable reference to a key specified in a ConfigMap (see
                                                    https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                                    elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                    The named Secret must specify a key `cosign.pub` containing the public key used for
                                                    verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                    When multiple keys are specified each key is processed as a separate staticKey entry
                                                    (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                                  type: string
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                                secret:
                                                  description: Reference to a Secret
                                                    resource that contains a public
                                                    key
                                                  properties:
                                                    name:
                                                      description: Name of the secret.
                                                        The provided secret must contain
                                                        a key named cosign.pub.
                                                      type: string
                                                    namespace:
                                                      description: Namespace name
                                                        where the Secret exists.
                                                      type: string
                                                  required:
                                                  - name
                                                  - namespace
                                                  type: object
                                                signatureAlgorithm:
                                                  default: sha256
                                                  description: Specify signature algorithm
                                                    for public keys. Supported values
                                                    are sha224, sha256, sha384 and
                                                    sha512.
                                                  type: string
                                              type: object
                                            repository:
                                              description: |-
                                                Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                                If specified Repository will override other OCI image repository locations for this Attestor.
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                conditions:
                                  description: |-
                                    Conditions are used to verify attributes within a Predicate. If no Conditions are specified
                                    the attestation check is satisfied as long there are predicates that match the predicate type.
                                  items:
                                    description: |-
                                      AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
                                      AnyConditions get fulfilled when at least one of its sub-conditions passes.
                                      AllConditions get fulfilled only when all of its sub-conditions pass.
                                    properties:
                                      all:
                                        description: |-
                                          AllConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, all of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: |-
                                          AnyConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, at least one of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                predicateType:
                                  description: Deprecated in favour of 'Type', to
                                    be removed soon
                                  type: string
                                type:
                                  description: Type defines the type of attestation
                                    contained within the Statement.
                                  type: string
                              type: object
                            type: array
                          attestors:
                            description: Attestors specified the required attestors
                              (i.e. authorities)
                            items:
                              properties:
                                count:
                                  description: |-
                                    Count specifies the required number of entries that must match. If the count is null, all entries must match
                                    (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                    value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                  minimum: 1
                                  type: integer
                                entries:
                                  description: |-
                                    Entries contains the available attestors. An attestor can be a static key,
                                    attributes for keyless verification, or a nested attestor declaration.
                                  items:
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          Annotations are used for image verification.
                                          Every specified key-value pair must exist and match in the verified payload.
                                          The payload may contain other key-value pairs.
                                        type: object
                                      attestor:
                                        description: Attestor is a nested set of Attestor
                                          used to specify a more complex set of match
                                          authorities.
                                        x-kubernetes-preserve-unknown-fields: true
                                      certificates:
                                        description: Certificates specifies one or
                                          more certificates.
                                        properties:
                                          cert:
                                            description: Cert is an optional PEM-encoded
                                              public certificate.
                                            type: string
                                          certChain:
                                            description: CertChain is an optional
                                              PEM encoded set of certificates used
                                              to verify.
                                            type: string
                                          ctlog:
                                            description: |-
                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                            properties:
                                              ignoreSCT:
                                                description: |-
                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                  timestamp. Default is false. Set to true if this was opted out during signing.
                                                type: boolean
                                              pubkey:
                                                description: PubKey, if set, is used
                                                  to validate SCTs against a custom
                                                  source.
                                                type: string
                                              tsaCertChain:
                                                description: |-
                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                  may contain the leaf TSA certificate if not present in the timestamurce.
                                                type: string
                                            type: object
                                          rekor:
                                            description: |-
                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                            properties:
                                              ignoreTlog:
                                                description: IgnoreTlog skips transparency
                                                  log verification.
                                                type: boolean
                                              pubkey:
                                                description: |-
                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public Rekor log instance https://rekor.sigstore.dev.
                                                type: string
                                            type: object
                                        type: object
                                      keyless:
                                        description: |-
                                          Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                          See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                        properties:
                                          additionalExtensions:
                                            additionalProperties:
                                              type: string
                                            description: AdditionalExtensions are
                                              certificate-extensions used for keyless
                                              signing.
                                            type: object
                                          ctlog:
                                            description: |-
                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                            properties:
                                              ignoreSCT:
                                                description: |-
                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                  timestamp. Default is false. Set to true if this was opted out during signing.
                                                type: boolean
                                              pubkey:
                                                description: PubKey, if set, is used
                                                  to validate SCTs against a custom
                                                  source.
                                                type: string
                                              tsaCertChain:
                                                description: |-
                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                  may contain the leaf TSA certificate if not present in the timestamurce.
                                                type: string
                                            type: object
                                          issuer:
                                            description: Issuer is the certificate
                                              issuer used for keyless signing.
                                            type: string
                                          rekor:
                                            description: |-
                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                            properties:
                                              ignoreTlog:
                                                description: IgnoreTlog skips transparency
                                                  log verification.
                                                type: boolean
                                              pubkey:
                                                description: |-
                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public Rekor log instance https://rekor.sigstore.dev.
                                                type: string
                                            type: object
                                          roots:
                                            description: |-
                                              Roots is an optional set of PEM encoded trusted root certificates.
                                              If not provided, the system roots are used.
                                            type: string
                                          subject:
                                            description: Subject is the verified identity
                                              used for keyless signing, for example
                                              the email address.
                                            type: string
                                        type: object
                                      keys:
                                        description: Keys specifies one or more public
                                          keys.
                                        properties:
                                          ctlog:
                                            description: |-
                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                            properties:
                                              ignoreSCT:
                                                description: |-
                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                  timestamp. Default is false. Set to true if this was opted out during signing.
                                                type: boolean
                                              pubkey:
                                                description: PubKey, if set, is used
                                                  to validate SCTs against a custom
                                                  source.
                                                type: string
                                              tsaCertChain:
                                                description: |-
                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                  may contain the leaf TSA certificate if not present in the timestamurce.
                                                type: string
                                            type: object
                                          kms:
                                            description: |-
                                              KMS provides the URI to the public key stored in a Key Management System. See:
                                              https://github.com/sigstore/cosign/blob/main/KMS.md
                                            type: string
                                          publicKeys:
                                            description: |-
                                              Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                              specified or can be a variable reference to a key specified in a ConfigMap (see
                                              https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                              elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                              The named Secret must specify a key `cosign.pub` containing the public key used for
                                              verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                              When multiple keys are specified each key is processed as a separate staticKey entry
                                              (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                            type: string
                                          rekor:
                                            description: |-
                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                            properties:
                                              ignoreTlog:
                                                description: IgnoreTlog skips transparency
                                                  log verification.
                                                type: boolean
                                              pubkey:
                                                description: |-
                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public Rekor log instance https://rekor.sigstore.dev.
                                                type: string
                                            type: object
                                          secret:
                                            description: Reference to a Secret resource
                                              that contains a public key
                                            properties:
                                              name:
                                                description: Name of the secret. The
                                                  provided secret must contain a key
                                                  named cosign.pub.
                                                type: string
                                              namespace:
                                                description: Namespace name where
                                                  the Secret exists.
                                                type: string
                                            required:
                                            - name
                                            - namespace
                                            type: object
                                          signatureAlgorithm:
                                            default: sha256
                                            description: Specify signature algorithm
                                              for public keys. Supported values are
                                              sha224, sha256, sha384 and sha512.
                                            type: string
                                        type: object
                                      repository:
                                        description: |-
                                          Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                          If specified Repository will override other OCI image repository locations for this Attestor.
                                        type: string
                                    type: object
                                  type: array
                              type: object
                            type: array
                          imageReferences:
                            description: |-
                              ImageReferences is a list of matching image reference patterns. At least one pattern in the
                              list must match the image for the rule to apply. Each image reference consists of a registry
                              address (defaults to docker.io), repository, image, and tag (defaults to latest).
                              Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                            items:
                              type: string
                            type: array
                          imageRegistryCredentials:
                            description: ImageRegistryCredentials provides credentials
                              that will be used for authentication with registry
                            properties:
                              allowInsecureRegistry:
                                description: AllowInsecureRegistry allows insecure
                                  access to a registry.
                                type: boolean
                              providers:
                                description: |-
                                  Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                  It can be of one of these values: default,google,azure,amazon,github.
                                items:
                                  description: ImageRegistryCredentialsProvidersType
                                    provides the list of credential providers required.
                                  enum:
                                  - default
                                  - amazon
                                  - azure
                                  - google
                                  - github
                                  type: string
                                type: array
                              secrets:
                                description: |-
                                  Secrets specifies a list of secrets that are provided for credentials.
                                  Secrets must live in the Kyverno namespace.
                                items:
                                  type: string
                                type: array
                            type: object
                          mutateDigest:
                            default: true
                            description: |-
                              MutateDigest enables replacement of image tags with digests.
                              Defaults to true.
                            type: boolean
                          repository:
                            description: |-
                              Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
                              If specified Repository will override the default OCI image repository configured for the installation.
                              The repository can also be overridden per Attestor or Attestation.
                            type: string
                          required:
                            default: true
                            description: Required validates that images are verified
                              i.e. have matched passed a signature or attestation
                              check.
                            type: boolean
                          skipImageReferences:
                            description: |-
                              SkipImageReferences is a list of matching image reference patterns that should be skipped.
                              At least one pattern in the list must match the image for the rule to be skipped. Each image reference
                              consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
                              Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                            items:
                              type: string
                            type: array
                          type:
                            description: |-
                              Type specifies the method of signature validation. The allowed options
                              are Cosign and Notary. By default Cosign is used if a type is not specified.
                            enum:
                            - Cosign
                            - Notary
                            type: string
                          useCache:
                            default: true
                            description: UseCache enables caching of image verify
                              responses for this rule
                            type: boolean
                          verifyDigest:
                            default: true
                            description: VerifyDigest validates that images have a
                              digest.
                            type: boolean
                        type: object
                      type: array
                  required:
                  - name
                  type: object
                type: array
              schemaValidation:
                description: Deprecated.
                type: boolean
              useServerSideApply:
                description: |-
                  UseServerSideApply controls whether to use server-side apply for generate rules
                  If is set to "true" create & update for generate rules will use apply instead of create/update.
                  Defaults to "false" if not specified.
                type: boolean
              validationFailureAction:
                default: Audit
                description: Deprecated, use validationFailureAction under the validate
                  rule instead.
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: Deprecated, use validationFailureActionOverrides under
                  the validate rule instead.
                items:
                  properties:
                    action:
                      description: ValidationFailureAction defines the policy validation
                        failure action
                      enum:
                      - audit
                      - enforce
                      - Audit
                      - Enforce
                      type: string
                    namespaceSelector:
                      description: |-
                        A label selector is a label query over a set of resources. The result of matchLabels and
                        matchExpressions are ANDed. An empty label selector matches all objects. A null
                        label selector matches no objects.
                      properties:
                        matchExpressions:
                          description: matchExpressions is a list of label selector
                            requirements. The requirements are ANDed.
                          items:
                            description: |-
                              A label selector requirement is a selector that contains values, a key, and an operator that
                              relates the key and values.
                            properties:
                              key:
                                description: key is the label key that the selector
                                  applies to.
                                type: string
                              operator:
                                description: |-
                                  operator represents a key's relationship to a set of values.
                                  Valid operators are In, NotIn, Exists and DoesNotExist.
                                type: string
                              values:
                                description: |-
                                  values is an array of string values. If the operator is In or NotIn,
                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                  the values array must be empty. This array is replaced during a strategic
                                  merge patch.
                                items:
                                  type: string
                                type: array
                                x-kubernetes-list-type: atomic
                            required:
                            - key
                            - operator
                            type: object
                          type: array
                          x-kubernetes-list-type: atomic
                        matchLabels:
                          additionalProperties:
                            type: string
                          description: |-
                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                            map is equivalent to an element of matchExpressions, whose key field is "key", the
                            operator is "In", and the values array contains only "value". The requirements are ANDed.
                          type: object
                      type: object
                      x-kubernetes-map-type: atomic
                    namespaces:
                      items:
                        type: string
                      type: array
                  type: object
                type: array
              webhookConfiguration:
                description: WebhookConfiguration specifies the custom configuration
                  for Kubernetes admission webhookconfiguration.
                properties:
                  failurePolicy:
                    description: |-
                      FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
                      Rules within the same policy share the same failure behavior.
                      This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
                      Allowed values are Ignore or Fail. Defaults to Fail.
                    enum:
                    - Ignore
                    - Fail
                    type: string
                  matchConditions:
                    description: |-
                      MatchCondition configures admission webhook matchConditions.
                      Requires Kubernetes 1.27 or later.
                    items:
                      description: MatchCondition represents a condition which must
                        by fulfilled for a request to be sent to a webhook.
                      properties:
                        expression:
                          description: |-
                            Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
                            CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:


                            'object' - The object from the incoming request. The value is null for DELETE requests.
                            'oldObject' - The existing object. The value is null for CREATE requests.
                            'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
                            'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
                              See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                            'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
                              request resource.
                            Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/


                            Required.
                          type: string
                        name:
                          description: |-
                            Name is an identifier for this match condition, used for strategic merging of MatchConditions,
                            as well as providing an identifier for logging purposes. A good name should be descriptive of
                            the associated expression.
                            Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
                            must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
                            '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
                            optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')


                            Required.
                          type: string
                      required:
                      - expression
                      - name
                      type: object
                    type: array
                  timeoutSeconds:
                    description: |-
                      TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
                      After the configured time expires, the admission request may fail, or may simply ignore the policy results,
                      based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
                    format: int32
                    type: integer
                type: object
              webhookTimeoutSeconds:
                description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
                  instead.
                format: int32
                type: integer
            type: object
          status:
            description: Status contains policy runtime data.
            properties:
              autogen:
                description: AutogenStatus contains autogen status information.
                properties:
                  rules:
                    description: Rules is a list of Rule instances. It contains auto
                      generated rules added for pod controllers
                    items:
                      description: |-
                        Rule defines a validation, mutation, or generation control for matching resources.
                        Each rules contains a match declaration to select resources, and an optional exclude
                        declaration to specify which resources to exclude.
                      properties:
                        celPreconditions:
                          description: |-
                            CELPreconditions are used to determine if a policy rule should be applied by evaluating a
                            set of CEL conditions. It can only be used with the validate.cel subrule
                          items:
                            description: MatchCondition represents a condition which
                              must by fulfilled for a request to be sent to a webhook.
                            properties:
                              expression:
                                description: |-
                                  Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
                                  CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:


                                  'object' - The object from the incoming request. The value is null for DELETE requests.
                                  'oldObject' - The existing object. The value is null for CREATE requests.
                                  'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
                                  'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
                                    See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                                  'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
                                    request resource.
                                  Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/


                                  Required.
                                type: string
                              name:
                                description: |-
                                  Name is an identifier for this match condition, used for strategic merging of MatchConditions,
                                  as well as providing an identifier for logging purposes. A good name should be descriptive of
                                  the associated expression.
                                  Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
                                  must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
                                  '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
                                  optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')


                                  Required.
                                type: string
                            required:
                            - expression
                            - name
                            type: object
                          type: array
                        context:
                          description: Context defines variables and data sources
                            that can be used during rule execution.
                          items:
                            description: |-
                              ContextEntry adds variables and data sources to a rule Context. Either a
                              ConfigMap reference or a APILookup must be provided.
                            properties:
                              apiCall:
                                description: |-
                                  APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                  The data returned is stored in the context with the name for the context entry.
                                properties:
                                  data:
                                    description: |-
                                      The data object specifies the POST data sent to the server.
                                      Only applicable when the method field is set to POST.
                                    items:
                                      description: RequestData contains the HTTP POST
                                        data
                                      properties:
                                        key:
                                          description: Key is a unique identifier
                                            for the data value
                                          type: string
                                        value:
                                          description: Value is the data value
                                          x-kubernetes-preserve-unknown-fields: true
                                      required:
                                      - key
                                      - value
                                      type: object
                                    type: array
                                  jmesPath:
                                    description: |-
                                      JMESPath is an optional JSON Match Expression that can be used to
                                      transform the JSON response returned from the server. For example
                                      a JMESPath of "items | length(@)" applied to the API server response
                                      for the URLPath "/apis/apps/v1/deployments" will return the total count
                                      of deployments across all namespaces.
                                    type: string
                                  method:
                                    default: GET
                                    description: Method is the HTTP request type (GET
                                      or POST). Defaults to GET.
                                    enum:
                                    - GET
                                    - POST
                                    type: string
                                  service:
                                    description: |-
                                      Service is an API call to a JSON web service.
                                      This is used for non-Kubernetes API server calls.
                                      It's mutually exclusive with the URLPath field.
                                    properties:
                                      caBundle:
                                        description: |-
                                          CABundle is a PEM encoded CA bundle which will be used to validate
                                          the server certificate.
                                        type: string
                                      url:
                                        description: |-
                                          URL is the JSON web service URL. A typical form is
                                          `https://{service}.{namespace}:{port}/{path}`.
                                        type: string
                                    required:
                                    - url
                                    type: object
                                  urlPath:
                                    description: |-
                                      URLPath is the URL path to be used in the HTTP GET or POST request to the
                                      Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                      The format required is the same format used by the `kubectl get --raw` command.
                                      See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                      for details.
                                      It's mutually exclusive with the Service field.
                                    type: string
                                type: object
                              configMap:
                                description: ConfigMap is the ConfigMap reference.
                                properties:
                                  name:
                                    description: Name is the ConfigMap name.
                                    type: string
                                  namespace:
                                    description: Namespace is the ConfigMap namespace.
                                    type: string
                                required:
                                - name
                                type: object
                              globalReference:
                                description: GlobalContextEntryReference is a reference
                                  to a cached global context entry.
                                properties:
                                  jmesPath:
                                    description: |-
                                      JMESPath is an optional JSON Match Expression that can be used to
                                      transform the JSON response returned from the server. For example
                                      a JMESPath of "items | length(@)" applied to the API server response
                                      for the URLPath "/apis/apps/v1/deployments" will return the total count
                                      of deployments across all namespaces.
                                    type: string
                                  name:
                                    description: Name of the global context entry
                                    type: string
                                type: object
                              imageRegistry:
                                description: |-
                                  ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                  details.
                                properties:
                                  imageRegistryCredentials:
                                    description: ImageRegistryCredentials provides
                                      credentials that will be used for authentication
                                      with registry
                                    properties:
                                      allowInsecureRegistry:
                                        description: AllowInsecureRegistry allows
                                          insecure access to a registry.
                                        type: boolean
                                      providers:
                                        description: |-
                                          Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                          It can be of one of these values: default,google,azure,amazon,github.
                                        items:
                                          description: ImageRegistryCredentialsProvidersType
                                            provides the list of credential providers
                                            required.
                                          enum:
                                          - default
                                          - amazon
                                          - azure
                                          - google
                                          - github
                                          type: string
                                        type: array
                                      secrets:
                                        description: |-
                                          Secrets specifies a list of secrets that are provided for credentials.
                                          Secrets must live in the Kyverno namespace.
                                        items:
                                          type: string
                                        type: array
                                    type: object
                                  jmesPath:
                                    description: |-
                                      JMESPath is an optional JSON Match Expression that can be used to
                                      transform the ImageData struct returned as a result of processing
                                      the image reference.
                                    type: string
                                  reference:
                                    description: |-
                                      Reference is image reference to a container image in the registry.
                                      Example: ghcr.io/kyverno/kyverno:latest
                                    type: string
                                required:
                                - reference
                                type: object
                              name:
                                description: Name is the variable name.
                                type: string
                              variable:
                                description: Variable defines an arbitrary JMESPath
                                  context variable that can be defined inline.
                                properties:
                                  default:
                                    description: |-
                                      Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                      expression evaluates to nil
                                    x-kubernetes-preserve-unknown-fields: true
                                  jmesPath:
                                    description: |-
                                      JMESPath is an optional JMESPath Expression that can be used to
                                      transform the variable.
                                    type: string
                                  value:
                                    description: Value is any arbitrary JSON object
                                      representable in YAML or JSON form.
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                            type: object
                          type: array
                        exclude:
                          description: |-
                            ExcludeResources defines when this policy rule should not be applied. The exclude
                            criteria can include resource information (e.g. kind, name, namespace, labels)
                            and admission review request information like the name or role.
                          properties:
                            all:
                              description: All allows specifying resources which will
                                be ANDed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                          and values support the wildcard characters "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: |-
                                          Name is the name of the resource. The name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                          NOTE: "Name" is being deprecated in favor of "Names".
                                        type: string
                                      names:
                                        description: |-
                                          Names are the names of the resources. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: |-
                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                          and `?` (matches one character).Wildcards allows writing label selectors like
                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                          does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: |-
                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: |-
                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                          characters `*` (matches zero or many characters) and `?` (matches one character).
                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: |-
                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                        or a value for non-objects such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: |-
                                            APIGroup holds the API group of the referenced subject.
                                            Defaults to "" for ServiceAccount subjects.
                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                          type: string
                                        kind:
                                          description: |-
                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: |-
                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                            the Authorizer should report an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            any:
                              description: Any allows specifying resources which will
                                be ORed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                          and values support the wildcard characters "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: |-
                                          Name is the name of the resource. The name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                          NOTE: "Name" is being deprecated in favor of "Names".
                                        type: string
                                      names:
                                        description: |-
                                          Names are the names of the resources. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: |-
                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                          and `?` (matches one character).Wildcards allows writing label selectors like
                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                          does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: |-
                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: |-
                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                          characters `*` (matches zero or many characters) and `?` (matches one character).
                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: |-
                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                        or a value for non-objects such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: |-
                                            APIGroup holds the API group of the referenced subject.
                                            Defaults to "" for ServiceAccount subjects.
                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                          type: string
                                        kind:
                                          description: |-
                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: |-
                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                            the Authorizer should report an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            clusterRoles:
                              description: ClusterRoles is the list of cluster-wide
                                role names for the user.
                              items:
                                type: string
                              type: array
                            resources:
                              description: |-
                                ResourceDescription contains information about the resource being created or modified.
                                Requires at least one tag to be specified when under MatchResources.
                                Specifying ResourceDescription directly under match is being deprecated.
                                Please specify under "any" or "all" instead.
                              properties:
                                annotations:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                    and values support the wildcard characters "*" (matches zero or many characters) and
                                    "?" (matches at least one character).
                                  type: object
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                name:
                                  description: |-
                                    Name is the name of the resource. The name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                    NOTE: "Name" is being deprecated in favor of "Names".
                                  type: string
                                names:
                                  description: |-
                                    Names are the names of the resources. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                  items:
                                    type: string
                                  type: array
                                namespaceSelector:
                                  description: |-
                                    NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                    in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                    and `?` (matches one character).Wildcards allows writing label selectors like
                                    ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                    does not match an empty label set.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                                namespaces:
                                  description: |-
                                    Namespaces is a list of namespaces names. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                  items:
                                    type: string
                                  type: array
                                operations:
                                  description: Operations can contain values ["CREATE,
                                    "UPDATE", "CONNECT", "DELETE"], which are used
                                    to match a specific action.
                                  items:
                                    description: AdmissionOperation can have one of
                                      the values CREATE, UPDATE, CONNECT, DELETE,
                                      which are used to match a specific action.
                                    enum:
                                    - CREATE
                                    - CONNECT
                                    - UPDATE
                                    - DELETE
                                    type: string
                                  type: array
                                selector:
                                  description: |-
                                    Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                    characters `*` (matches zero or many characters) and `?` (matches one character).
                                    Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                    using ["*" : "*"] matches any key and value but does not match an empty label set.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            roles:
                              description: Roles is the list of namespaced role names
                                for the user.
                              items:
                                type: string
                              type: array
                            subjects:
                              description: Subjects is the list of subject names like
                                users, user groups, and service accounts.
                              items:
                                description: |-
                                  Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                  or a value for non-objects such as user and group names.
                                properties:
                                  apiGroup:
                                    description: |-
                                      APIGroup holds the API group of the referenced subject.
                                      Defaults to "" for ServiceAccount subjects.
                                      Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                    type: string
                                  kind:
                                    description: |-
                                      Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                      If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                    type: string
                                  name:
                                    description: Name of the object being referenced.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                      the Authorizer should report an error.
                                    type: string
                                required:
                                - kind
                                - name
                                type: object
                                x-kubernetes-map-type: atomic
                              type: array
                          type: object
                        generate:
                          description: Generation is used to create new resources.
                          properties:
                            apiVersion:
                              description: APIVersion specifies resource apiVersion.
                              type: string
                            clone:
                              description: |-
                                Clone specifies the source resource used to populate each generated resource.
                                At most one of Data or Clone can be specified. If neither are provided, the generated
                                resource will be created with default data only.
                              properties:
                                name:
                                  description: Name specifies name of the resource.
                                  type: string
                                namespace:
                                  description: Namespace specifies source resource
                                    namespace.
                                  type: string
                              type: object
                            cloneList:
                              description: CloneList specifies the list of source
                                resource used to populate each generated resource.
                              properties:
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                namespace:
                                  description: Namespace specifies source resource
                                    namespace.
                                  type: string
                                selector:
                                  description: |-
                                    Selector is a label selector. Label keys and values in `matchLabels`.
                                    wildcard characters are not supported.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            data:
                              description: |-
                                Data provides the resource declaration used to populate each generated resource.
                                At most one of Data or Clone must be specified. If neither are provided, the generated
                                resource will be created with default data only.
                              x-kubernetes-preserve-unknown-fields: true
                            generateExisting:
                              description: |-
                                GenerateExisting controls whether to trigger the rule in existing resources
                                If is set to "true" the rule will be triggered and applied to existing matched resources.
                              type: boolean
                            kind:
                              description: Kind specifies resource kind.
                              type: string
                            name:
                              description: Name specifies the resource name.
                              type: string
                            namespace:
                              description: Namespace specifies resource namespace.
                              type: string
                            orphanDownstreamOnPolicyDelete:
                              description: |-
                                OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
                                them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
                                See https://kyverno.io/docs/writing-policies/generate/#data-examples.
                                Defaults to "false" if not specified.
                              type: boolean
                            synchronize:
                              description: |-
                                Synchronize controls if generated resources should be kept in-sync with their source resource.
                                If Synchronize is set to "true" changes to generated resources will be overwritten with resource
                                data from Data or the resource specified in the Clone declaration.
                                Optional. Defaults to "false" if not specified.
                              type: boolean
                            uid:
                              description: UID specifies the resource uid.
                              type: string
                          type: object
                        imageExtractors:
                          additionalProperties:
                            items:
                              properties:
                                jmesPath:
                                  description: |-
                                    JMESPath is an optional JMESPath expression to apply to the image value.
                                    This is useful when the extracted image begins with a prefix like 'docker://'.
                                    The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
                                    Note - Image digest mutation may not be used when applying a JMESPAth to an image.
                                  type: string
                                key:
                                  description: |-
                                    Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
                                    Note - this field MUST be unique.
                                  type: string
                                name:
                                  description: |-
                                    Name is the entry the image will be available under 'images.<name>' in the context.
                                    If this field is not defined, image entries will appear under 'images.custom'.
                                  type: string
                                path:
                                  description: |-
                                    Path is the path to the object containing the image field in a custom resource.
                                    It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
                                    Wildcard keys are expanded in case of arrays or objects.
                                  type: string
                                value:
                                  description: |-
                                    Value is an optional name of the field within 'path' that points to the image URI.
                                    This is useful when a custom 'key' is also defined.
                                  type: string
                              required:
                              - path
                              type: object
                            type: array
                          description: |-
                            ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
                            This config is only valid for verifyImages rules.
                          type: object
                        match:
                          description: |-
                            MatchResources defines when this policy rule should be applied. The match
                            criteria can include resource information (e.g. kind, name, namespace, labels)
                            and admission review request information like the user name or role.
                            At least one kind is required.
                          properties:
                            all:
                              description: All allows specifying resources which will
                                be ANDed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                          and values support the wildcard characters "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: |-
                                          Name is the name of the resource. The name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                          NOTE: "Name" is being deprecated in favor of "Names".
                                        type: string
                                      names:
                                        description: |-
                                          Names are the names of the resources. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: |-
                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                          and `?` (matches one character).Wildcards allows writing label selectors like
                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                          does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: |-
                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: |-
                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                          characters `*` (matches zero or many characters) and `?` (matches one character).
                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: |-
                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                        or a value for non-objects such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: |-
                                            APIGroup holds the API group of the referenced subject.
                                            Defaults to "" for ServiceAccount subjects.
                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                          type: string
                                        kind:
                                          description: |-
                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: |-
                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                            the Authorizer should report an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            any:
                              description: Any allows specifying resources which will
                                be ORed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                          and values support the wildcard characters "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: |-
                                          Name is the name of the resource. The name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                          NOTE: "Name" is being deprecated in favor of "Names".
                                        type: string
                                      names:
                                        description: |-
                                          Names are the names of the resources. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: |-
                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                          and `?` (matches one character).Wildcards allows writing label selectors like
                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                          does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: |-
                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: |-
                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                          characters `*` (matches zero or many characters) and `?` (matches one character).
                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: |-
                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                        or a value for non-objects such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: |-
                                            APIGroup holds the API group of the referenced subject.
                                            Defaults to "" for ServiceAccount subjects.
                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                          type: string
                                        kind:
                                          description: |-
                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: |-
                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                            the Authorizer should report an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            clusterRoles:
                              description: ClusterRoles is the list of cluster-wide
                                role names for the user.
                              items:
                                type: string
                              type: array
                            resources:
                              description: |-
                                ResourceDescription contains information about the resource being created or modified.
                                Requires at least one tag to be specified when under MatchResources.
                                Specifying ResourceDescription directly under match is being deprecated.
                                Please specify under "any" or "all" instead.
                              properties:
                                annotations:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                    and values support the wildcard characters "*" (matches zero or many characters) and
                                    "?" (matches at least one character).
                                  type: object
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                name:
                                  description: |-
                                    Name is the name of the resource. The name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                    NOTE: "Name" is being deprecated in favor of "Names".
                                  type: string
                                names:
                                  description: |-
                                    Names are the names of the resources. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                  items:
                                    type: string
                                  type: array
                                namespaceSelector:
                                  description: |-
                                    NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                    in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                    and `?` (matches one character).Wildcards allows writing label selectors like
                                    ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                    does not match an empty label set.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                                namespaces:
                                  description: |-
                                    Namespaces is a list of namespaces names. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                  items:
                                    type: string
                                  type: array
                                operations:
                                  description: Operations can contain values ["CREATE,
                                    "UPDATE", "CONNECT", "DELETE"], which are used
                                    to match a specific action.
                                  items:
                                    description: AdmissionOperation can have one of
                                      the values CREATE, UPDATE, CONNECT, DELETE,
                                      which are used to match a specific action.
                                    enum:
                                    - CREATE
                                    - CONNECT
                                    - UPDATE
                                    - DELETE
                                    type: string
                                  type: array
                                selector:
                                  description: |-
                                    Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                    characters `*` (matches zero or many characters) and `?` (matches one character).
                                    Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                    using ["*" : "*"] matches any key and value but does not match an empty label set.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            roles:
                              description: Roles is the list of namespaced role names
                                for the user.
                              items:
                                type: string
                              type: array
                            subjects:
                              description: Subjects is the list of subject names like
                                users, user groups, and service accounts.
                              items:
                                description: |-
                                  Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                  or a value for non-objects such as user and group names.
                                properties:
                                  apiGroup:
                                    description: |-
                                      APIGroup holds the API group of the referenced subject.
                                      Defaults to "" for ServiceAccount subjects.
                                      Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                    type: string
                                  kind:
                                    description: |-
                                      Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                      If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                    type: string
                                  name:
                                    description: Name of the object being referenced.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                      the Authorizer should report an error.
                                    type: string
                                required:
                                - kind
                                - name
                                type: object
                                x-kubernetes-map-type: atomic
                              type: array
                          type: object
                        mutate:
                          description: Mutation is used to modify matching resources.
                          properties:
                            foreach:
                              description: ForEach applies mutation rules to a list
                                of sub-elements by creating a context for each entry
                                in the list and looping over it to apply the specified
                                logic.
                              items:
                                description: ForEachMutation applies mutation rules
                                  to a list of sub-elements by creating a context
                                  for each entry in the list and looping over it to
                                  apply the specified logic.
                                properties:
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: |-
                                        ContextEntry adds variables and data sources to a rule Context. Either a
                                        ConfigMap reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: |-
                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                            The data returned is stored in the context with the name for the context entry.
                                          properties:
                                            data:
                                              description: |-
                                                The data object specifies the POST data sent to the server.
                                                Only applicable when the method field is set to POST.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST). Defaults to GET.
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: |-
                                                Service is an API call to a JSON web service.
                                                This is used for non-Kubernetes API server calls.
                                                It's mutually exclusive with the URLPath field.
                                              properties:
                                                caBundle:
                                                  description: |-
                                                    CABundle is a PEM encoded CA bundle which will be used to validate
                                                    the server certificate.
                                                  type: string
                                                url:
                                                  description: |-
                                                    URL is the JSON web service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: |-
                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                                It's mutually exclusive with the Service field.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        globalReference:
                                          description: GlobalContextEntryReference
                                            is a reference to a cached global context
                                            entry.
                                          properties:
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            name:
                                              description: Name of the global context
                                                entry
                                              type: string
                                          type: object
                                        imageRegistry:
                                          description: |-
                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                            details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry.
                                                  type: boolean
                                                providers:
                                                  description: |-
                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                    It can be of one of these values: default,google,azure,amazon,github.
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: |-
                                                    Secrets specifies a list of secrets that are provided for credentials.
                                                    Secrets must live in the Kyverno namespace.
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the ImageData struct returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: |-
                                                Reference is image reference to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: |-
                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                                expression evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JMESPath Expression that can be used to
                                                transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  foreach:
                                    description: Foreach declares a nested foreach
                                      iterator
                                    x-kubernetes-preserve-unknown-fields: true
                                  list:
                                    description: |-
                                      List specifies a JMESPath expression that results in one or more elements
                                      to which the validation logic is applied.
                                    type: string
                                  order:
                                    description: |-
                                      Order defines the iteration order on the list.
                                      Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
                                    enum:
                                    - Ascending
                                    - Descending
                                    type: string
                                  patchStrategicMerge:
                                    description: |-
                                      PatchStrategicMerge is a strategic merge patch used to modify resources.
                                      See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                                    x-kubernetes-preserve-unknown-fields: true
                                  patchesJson6902:
                                    description: |-
                                      PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
                                      See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                                    type: string
                                  preconditions:
                                    description: |-
                                      AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
                                      set of conditions. The declaration can contain nested `any` or `all` statements.
                                      See: https://kyverno.io/docs/writing-policies/preconditions/
                                    properties:
                                      all:
                                        description: |-
                                          AllConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, all of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: |-
                                          AnyConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, at least one of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              type: array
                            mutateExistingOnPolicyUpdate:
                              description: MutateExistingOnPolicyUpdate controls if
                                the mutateExisting rule will be applied on policy
                                events.
                              type: boolean
                            patchStrategicMerge:
                              description: |-
                                PatchStrategicMerge is a strategic merge patch used to modify resources.
                                See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                              x-kubernetes-preserve-unknown-fields: true
                            patchesJson6902:
                              description: |-
                                PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
                                See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                              type: string
                            targets:
                              description: Targets defines the target resources to
                                be mutated.
                              items:
                                description: TargetResourceSpec defines targets for
                                  mutating existing resources.
                                properties:
                                  apiVersion:
                                    description: APIVersion specifies resource apiVersion.
                                    type: string
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: |-
                                        ContextEntry adds variables and data sources to a rule Context. Either a
                                        ConfigMap reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: |-
                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                            The data returned is stored in the context with the name for the context entry.
                                          properties:
                                            data:
                                              description: |-
                                                The data object specifies the POST data sent to the server.
                                                Only applicable when the method field is set to POST.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST). Defaults to GET.
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: |-
                                                Service is an API call to a JSON web service.
                                                This is used for non-Kubernetes API server calls.
                                                It's mutually exclusive with the URLPath field.
                                              properties:
                                                caBundle:
                                                  description: |-
                                                    CABundle is a PEM encoded CA bundle which will be used to validate
                                                    the server certificate.
                                                  type: string
                                                url:
                                                  description: |-
                                                    URL is the JSON web service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: |-
                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                                It's mutually exclusive with the Service field.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        globalReference:
                                          description: GlobalContextEntryReference
                                            is a reference to a cached global context
                                            entry.
                                          properties:
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            name:
                                              description: Name of the global context
                                                entry
                                              type: string
                                          type: object
                                        imageRegistry:
                                          description: |-
                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                            details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry.
                                                  type: boolean
                                                providers:
                                                  description: |-
                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                    It can be of one of these values: default,google,azure,amazon,github.
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: |-
                                                    Secrets specifies a list of secrets that are provided for credentials.
                                                    Secrets must live in the Kyverno namespace.
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the ImageData struct returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: |-
                                                Reference is image reference to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: |-
                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                                expression evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JMESPath Expression that can be used to
                                                transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  kind:
                                    description: Kind specifies resource kind.
                                    type: string
                                  name:
                                    description: Name specifies the resource name.
                                    type: string
                                  namespace:
                                    description: Namespace specifies resource namespace.
                                    type: string
                                  preconditions:
                                    description: |-
                                      Preconditions are used to determine if a policy rule should be applied by evaluating a
                                      set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
                                      of conditions (without `any` or `all` statements is supported for backwards compatibility but
                                      will be deprecated in the next major release.
                                      See: https://kyverno.io/docs/writing-policies/preconditions/
                                    x-kubernetes-preserve-unknown-fields: true
                                  uid:
                                    description: UID specifies the resource uid.
                                    type: string
                                type: object
                              type: array
                          type: object
                        name:
                          description: Name is a label to identify the rule, It must
                            be unique within the policy.
                          maxLength: 63
                          type: string
                        preconditions:
                          description: |-
                            Preconditions are used to determine if a policy rule should be applied by evaluating a
                            set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
                            of conditions (without `any` or `all` statements is supported for backwards compatibility but
                            will be deprecated in the next major release.
                            See: https://kyverno.io/docs/writing-policies/preconditions/
                          x-kubernetes-preserve-unknown-fields: true
                        skipBackgroundRequests:
                          default: true
                          description: |-
                            SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
                            The default value is set to "true", it must be set to "false" to apply
                            generate and mutateExisting rules to those requests.
                          type: boolean
                        validate:
                          description: Validation is used to validate matching resources.
                          properties:
                            anyPattern:
                              description: |-
                                AnyPattern specifies list of validation patterns. At least one of the patterns
                                must be satisfied for the validation rule to succeed.
                              x-kubernetes-preserve-unknown-fields: true
                            cel:
                              description: CEL allows validation checks using the
                                Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
                              properties:
                                auditAnnotations:
                                  description: AuditAnnotations contains CEL expressions
                                    which are used to produce audit annotations for
                                    the audit event of the API request.
                                  items:
                                    description: AuditAnnotation describes how to
                                      produce an audit annotation for an API request.
                                    properties:
                                      key:
                                        description: |-
                                          key specifies the audit annotation key. The audit annotation keys of
                                          a ValidatingAdmissionPolicy must be unique. The key must be a qualified
                                          name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.


                                          The key is combined with the resource name of the
                                          ValidatingAdmissionPolicy to construct an audit annotation key:
                                          "{ValidatingAdmissionPolicy name}/{key}".


                                          If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
                                          and the same audit annotation key, the annotation key will be identical.
                                          In this case, the first annotation written with the key will be included
                                          in the audit event and all subsequent annotations with the same key
                                          will be discarded.


                                          Required.
                                        type: string
                                      valueExpression:
                                        description: |-
                                          valueExpression represents the expression which is evaluated by CEL to
                                          produce an audit annotation value. The expression must evaluate to either
                                          a string or null value. If the expression evaluates to a string, the
                                          audit annotation is included with the string value. If the expression
                                          evaluates to null or empty string the audit annotation will be omitted.
                                          The valueExpression may be no longer than 5kb in length.
                                          If the result of the valueExpression is more than 10kb in length, it
                                          will be truncated to 10kb.


                                          If multiple ValidatingAdmissionPolicyBinding resources match an
                                          API request, then the valueExpression will be evaluated for
                                          each binding. All unique values produced by the valueExpressions
                                          will be joined together in a comma-separated list.


                                          Required.
                                        type: string
                                    required:
                                    - key
                                    - valueExpression
                                    type: object
                                  type: array
                                expressions:
                                  description: Expressions is a list of CELExpression
                                    types.
                                  items:
                                    description: Validation specifies the CEL expression
                                      which is used to apply the validation.
                                    properties:
                                      expression:
                                        description: "Expression represents the expression
                                          which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
                                          expressions have access to the contents
                                          of the API request/response, organized into
                                          CEL variables as well as some other useful
                                          variables:\n\n\n- 'object' - The object
                                          from the incoming request. The value is
                                          null for DELETE requests.\n- 'oldObject'
                                          - The existing object. The value is null
                                          for CREATE requests.\n- 'request' - Attributes
                                          of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
                                          'params' - Parameter resource referred to
                                          by the policy binding being evaluated. Only
                                          populated if the policy has a ParamKind.\n-
                                          'namespaceObject' - The namespace object
                                          that the incoming object belongs to. The
                                          value is null for cluster-scoped resources.\n-
                                          'variables' - Map of composited variables,
                                          from its name to its lazily evaluated value.\n
                                          \ For example, a variable named 'foo' can
                                          be accessed as 'variables.foo'.\n- 'authorizer'
                                          - A CEL Authorizer. May be used to perform
                                          authorization checks for the principal (user
                                          or service account) of the request.\n  See
                                          https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
                                          'authorizer.requestResource' - A CEL ResourceCheck
                                          constructed from the 'authorizer' and configured
                                          with the\n  request resource.\n\n\nThe `apiVersion`,
                                          `kind`, `metadata.name` and `metadata.generateName`
                                          are always accessible from the root of the\nobject.
                                          No other metadata properties are accessible.\n\n\nOnly
                                          property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
                                          are accessible.\nAccessible property names
                                          are escaped according to the following rules
                                          when accessed in the expression:\n- '__'
                                          escapes to '__underscores__'\n- '.' escapes
                                          to '__dot__'\n- '-' escapes to '__dash__'\n-
                                          '/' escapes to '__slash__'\n- Property names
                                          that exactly match a CEL RESERVED keyword
                                          escape to '__{keyword}__'. The keywords
                                          are:\n\t  \"true\", \"false\", \"null\",
                                          \"in\", \"as\", \"break\", \"const\", \"continue\",
                                          \"else\", \"for\", \"function\", \"if\",\n\t
                                          \ \"import\", \"let\", \"loop\", \"package\",
                                          \"namespace\", \"return\".\nExamples:\n
                                          \ - Expression accessing a property named
                                          \"namespace\": {\"Expression\": \"object.__namespace__
                                          > 0\"}\n  - Expression accessing a property
                                          named \"x-prop\": {\"Expression\": \"object.x__dash__prop
                                          > 0\"}\n  - Expression accessing a property
                                          named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
                                          > 0\"}\n\n\nEquality on arrays with list
                                          type of 'set' or 'map' ignores element order,
                                          i.e. [1, 2] == [2, 1].\nConcatenation on
                                          arrays with x-kubernetes-list-type use the
                                          semantics of the list type:\n  - 'set':
                                          `X + Y` performs a union where the array
                                          positions of all elements in `X` are preserved
                                          and\n    non-intersecting elements in `Y`
                                          are appended, retaining their partial order.\n
                                          \ - 'map': `X + Y` performs a merge where
                                          the array positions of all keys in `X` are
                                          preserved but the values\n    are overwritten
                                          by values in `Y` when the key sets of `X`
                                          and `Y` intersect. Elements in `Y` with\n
                                          \   non-intersecting keys are appended,
                                          retaining their partial order.\nRequired."
                                        type: string
                                      message:
                                        description: |-
                                          Message represents the message displayed when validation fails. The message is required if the Expression contains
                                          line breaks. The message must not contain line breaks.
                                          If unset, the message is "failed rule: {Rule}".
                                          e.g. "must be a URL with the host matching spec.host"
                                          If the Expression contains line breaks. Message is required.
                                          The message must not contain line breaks.
                                          If unset, the message is "failed Expression: {Expression}".
                                        type: string
                                      messageExpression:
                                        description: |-
                                          messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
                                          Since messageExpression is used as a failure message, it must evaluate to a string.
                                          If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
                                          If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
                                          as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
                                          that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
                                          the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
                                          messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
                                          Example:
                                          "object.x must be less than max ("+string(params.max)+")"
                                        type: string
                                      reason:
                                        description: |-
                                          Reason represents a machine-readable description of why this validation failed.
                                          If this is the first validation in the list to fail, this reason, as well as the
                                          corresponding HTTP response code, are used in the
                                          HTTP response to the client.
                                          The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
                                          If not set, StatusReasonInvalid is used in the response to the client.
                                        type: string
                                    required:
                                    - expression
                                    type: object
                                  type: array
                                paramKind:
                                  description: ParamKind is a tuple of Group Kind
                                    and Version.
                                  properties:
                                    apiVersion:
                                      description: |-
                                        APIVersion is the API group version the resources belong to.
                                        In format of "group/version".
                                        Required.
                                      type: string
                                    kind:
                                      description: |-
                                        Kind is the API kind the resources belong to.
                                        Required.
                                      type: string
                                  type: object
                                  x-kubernetes-map-type: atomic
                                paramRef:
                                  description: ParamRef references a parameter resource.
                                  properties:
                                    name:
                                      description: |-
                                        `name` is the name of the resource being referenced.


                                        `name` and `selector` are mutually exclusive properties. If one is set,
                                        the other must be unset.
                                      type: string
                                    namespace:
                                      description: |-
                                        namespace is the namespace of the referenced resource. Allows limiting
                                        the search for params to a specific namespace. Applies to both `name` and
                                        `selector` fields.


                                        A per-namespace parameter may be used by specifying a namespace-scoped
                                        `paramKind` in the policy and leaving this field empty.


                                        - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
                                        field results in a configuration error.


                                        - If `paramKind` is namespace-scoped, the namespace of the object being
                                        evaluated for admission will be used when this field is left unset. Take
                                        care that if this is left empty the binding must not match any cluster-scoped
                                        resources, which will result in an error.
                                      type: string
                                    parameterNotFoundAction:
                                      description: |-
                                        `parameterNotFoundAction` controls the behavior of the binding when the resource
                                        exists, and name or selector is valid, but there are no parameters
                                        matched by the binding. If the value is set to `Allow`, then no
                                        matched parameters will be treated as successful validation by the binding.
                                        If set to `Deny`, then no matched parameters will be subject to the
                                        `failurePolicy` of the policy.


                                        Allowed values are `Allow` or `Deny`
                                        Default to `Deny`
                                      type: string
                                    selector:
                                      description: |-
                                        selector can be used to match multiple param objects based on their labels.
                                        Supply selector: {} to match all resources of the ParamKind.


                                        If multiple params are found, they are all evaluated with the policy expressions
                                        and the results are ANDed together.


                                        One of `name` or `selector` must be set, but `name` and `selector` are
                                        mutually exclusive properties. If one is set, the other must be unset.
                                      properties:
                                        matchExpressions:
                                          description: matchExpressions is a list
                                            of label selector requirements. The requirements
                                            are ANDed.
                                          items:
                                            description: |-
                                              A label selector requirement is a selector that contains values, a key, and an operator that
                                              relates the key and values.
                                            properties:
                                              key:
                                                description: key is the label key
                                                  that the selector applies to.
                                                type: string
                                              operator:
                                                description: |-
                                                  operator represents a key's relationship to a set of values.
                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
                                                type: string
                                              values:
                                                description: |-
                                                  values is an array of string values. If the operator is In or NotIn,
                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                  the values array must be empty. This array is replaced during a strategic
                                                  merge patch.
                                                items:
                                                  type: string
                                                type: array
                                                x-kubernetes-list-type: atomic
                                            required:
                                            - key
                                            - operator
                                            type: object
                                          type: array
                                          x-kubernetes-list-type: atomic
                                        matchLabels:
                                          additionalProperties:
                                            type: string
                                          description: |-
                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
                                          type: object
                                      type: object
                                      x-kubernetes-map-type: atomic
                                  type: object
                                  x-kubernetes-map-type: atomic
                                variables:
                                  description: |-
                                    Variables contain definitions of variables that can be used in composition of other expressions.
                                    Each variable is defined as a named CEL expression.
                                    The variables defined here will be available under `variables` in other expressions of the policy.
                                  items:
                                    description: Variable is the definition of a variable
                                      that is used for composition.
                                    properties:
                                      expression:
                                        description: |-
                                          Expression is the expression that will be evaluated as the value of the variable.
                                          The CEL expression has access to the same identifiers as the CEL expressions in Validation.
                                        type: string
                                      name:
                                        description: |-
                                          Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
                                          The variable can be accessed in other expressions through `variables`
                                          For example, if name is "foo", the variable will be available as `variables.foo`
                                        type: string
                                    required:
                                    - expression
                                    - name
                                    type: object
                                  type: array
                              type: object
                            deny:
                              description: Deny defines conditions used to pass or
                                fail a validation rule.
                              properties:
                                conditions:
                                  description: |-
                                    Multiple conditions can be declared under an `any` or `all` statement. A direct list
                                    of conditions (without `any` or `all` statements) is also supported for backwards compatibility
                                    but will be deprecated in the next major release.
                                    See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
                                  x-kubernetes-preserve-unknown-fields: true
                              type: object
                            foreach:
                              description: ForEach applies validate rules to a list
                                of sub-elements by creating a context for each entry
                                in the list and looping over it to apply the specified
                                logic.
                              items:
                                description: ForEachValidation applies validate rules
                                  to a list of sub-elements by creating a context
                                  for each entry in the list and looping over it to
                                  apply the specified logic.
                                properties:
                                  anyPattern:
                                    description: |-
                                      AnyPattern specifies list of validation patterns. At least one of the patterns
                                      must be satisfied for the validation rule to succeed.
                                    x-kubernetes-preserve-unknown-fields: true
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: |-
                                        ContextEntry adds variables and data sources to a rule Context. Either a
                                        ConfigMap reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: |-
                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                            The data returned is stored in the context with the name for the context entry.
                                          properties:
                                            data:
                                              description: |-
                                                The data object specifies the POST data sent to the server.
                                                Only applicable when the method field is set to POST.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST). Defaults to GET.
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: |-
                                                Service is an API call to a JSON web service.
                                                This is used for non-Kubernetes API server calls.
                                                It's mutually exclusive with the URLPath field.
                                              properties:
                                                caBundle:
                                                  description: |-
                                                    CABundle is a PEM encoded CA bundle which will be used to validate
                                                    the server certificate.
                                                  type: string
                                                url:
                                                  description: |-
                                                    URL is the JSON web service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: |-
                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                                It's mutually exclusive with the Service field.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        globalReference:
                                          description: GlobalContextEntryReference
                                            is a reference to a cached global context
                                            entry.
                                          properties:
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            name:
                                              description: Name of the global context
                                                entry
                                              type: string
                                          type: object
                                        imageRegistry:
                                          description: |-
                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                            details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry.
                                                  type: boolean
                                                providers:
                                                  description: |-
                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                    It can be of one of these values: default,google,azure,amazon,github.
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: |-
                                                    Secrets specifies a list of secrets that are provided for credentials.
                                                    Secrets must live in the Kyverno namespace.
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the ImageData struct returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: |-
                                                Reference is image reference to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: |-
                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                                expression evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JMESPath Expression that can be used to
                                                transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  deny:
                                    description: Deny defines conditions used to pass
                                      or fail a validation rule.
                                    properties:
                                      conditions:
                                        description: |-
                                          Multiple conditions can be declared under an `any` or `all` statement. A direct list
                                          of conditions (without `any` or `all` statements) is also supported for backwards compatibility
                                          but will be deprecated in the next major release.
                                          See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
                                        x-kubernetes-preserve-unknown-fields: true
                                    type: object
                                  elementScope:
                                    description: |-
                                      ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
                                      When set to "false", "request.object" is used as the validation scope within the foreach
                                      block to allow referencing other elements in the subtree.
                                    type: boolean
                                  foreach:
                                    description: Foreach declares a nested foreach
                                      iterator
                                    x-kubernetes-preserve-unknown-fields: true
                                  list:
                                    description: |-
                                      List specifies a JMESPath expression that results in one or more elements
                                      to which the validation logic is applied.
                                    type: string
                                  pattern:
                                    description: Pattern specifies an overlay-style
                                      pattern used to check resources.
                                    x-kubernetes-preserve-unknown-fields: true
                                  preconditions:
                                    description: |-
                                      AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
                                      set of conditions. The declaration can contain nested `any` or `all` statements.
                                      See: https://kyverno.io/docs/writing-policies/preconditions/
                                    properties:
                                      all:
                                        description: |-
                                          AllConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, all of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: |-
                                          AnyConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, at least one of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              type: array
                            manifests:
                              description: Manifest specifies conditions for manifest
                                verification
                              properties:
                                annotationDomain:
                                  description: AnnotationDomain is custom domain of
                                    annotation for message and signature. Default
                                    is "cosign.sigstore.dev".
                                  type: string
                                attestors:
                                  description: Attestors specified the required attestors
                                    (i.e. authorities)
                                  items:
                                    properties:
                                      count:
                                        description: |-
                                          Count specifies the required number of entries that must match. If the count is null, all entries must match
                                          (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                          value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                        minimum: 1
                                        type: integer
                                      entries:
                                        description: |-
                                          Entries contains the available attestors. An attestor can be a static key,
                                          attributes for keyless verification, or a nested attestor declaration.
                                        items:
                                          properties:
                                            annotations:
                                              additionalProperties:
                                                type: string
                                              description: |-
                                                Annotations are used for image verification.
                                                Every specified key-value pair must exist and match in the verified payload.
                                                The payload may contain other key-value pairs.
                                              type: object
                                            attestor:
                                              description: Attestor is a nested set
                                                of Attestor used to specify a more
                                                complex set of match authorities.
                                              x-kubernetes-preserve-unknown-fields: true
                                            certificates:
                                              description: Certificates specifies
                                                one or more certificates.
                                              properties:
                                                cert:
                                                  description: Cert is an optional
                                                    PEM-encoded public certificate.
                                                  type: string
                                                certChain:
                                                  description: CertChain is an optional
                                                    PEM encoded set of certificates
                                                    used to verify.
                                                  type: string
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                              type: object
                                            keyless:
                                              description: |-
                                                Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                                See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                              properties:
                                                additionalExtensions:
                                                  additionalProperties:
                                                    type: string
                                                  description: AdditionalExtensions
                                                    are certificate-extensions used
                                                    for keyless signing.
                                                  type: object
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                issuer:
                                                  description: Issuer is the certificate
                                                    issuer used for keyless signing.
                                                  type: string
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                                roots:
                                                  description: |-
                                                    Roots is an optional set of PEM encoded trusted root certificates.
                                                    If not provided, the system roots are used.
                                                  type: string
                                                subject:
                                                  description: Subject is the verified
                                                    identity used for keyless signing,
                                                    for example the email address.
                                                  type: string
                                              type: object
                                            keys:
                                              description: Keys specifies one or more
                                                public keys.
                                              properties:
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                kms:
                                                  description: |-
                                                    KMS provides the URI to the public key stored in a Key Management System. See:
                                                    https://github.com/sigstore/cosign/blob/main/KMS.md
                                                  type: string
                                                publicKeys:
                                                  description: |-
                                                    Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                                    specified or can be a variable reference to a key specified in a ConfigMap (see
                                                    https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                                    elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                    The named Secret must specify a key `cosign.pub` containing the public key used for
                                                    verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                    When multiple keys are specified each key is processed as a separate staticKey entry
                                                    (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                                  type: string
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                                secret:
                                                  description: Reference to a Secret
                                                    resource that contains a public
                                                    key
                                                  properties:
                                                    name:
                                                      description: Name of the secret.
                                                        The provided secret must contain
                                                        a key named cosign.pub.
                                                      type: string
                                                    namespace:
                                                      description: Namespace name
                                                        where the Secret exists.
                                                      type: string
                                                  required:
                                                  - name
                                                  - namespace
                                                  type: object
                                                signatureAlgorithm:
                                                  default: sha256
                                                  description: Specify signature algorithm
                                                    for public keys. Supported values
                                                    are sha224, sha256, sha384 and
                                                    sha512.
                                                  type: string
                                              type: object
                                            repository:
                                              description: |-
                                                Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                                If specified Repository will override other OCI image repository locations for this Attestor.
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                dryRun:
                                  description: DryRun configuration
                                  properties:
                                    enable:
                                      type: boolean
                                    namespace:
                                      type: string
                                  type: object
                                ignoreFields:
                                  description: Fields which will be ignored while
                                    comparing manifests.
                                  items:
                                    properties:
                                      fields:
                                        items:
                                          type: string
                                        type: array
                                      objects:
                                        items:
                                          properties:
                                            group:
                                              type: string
                                            kind:
                                              type: string
                                            name:
                                              type: string
                                            namespace:
                                              type: string
                                            version:
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                repository:
                                  description: |-
                                    Repository is an optional alternate OCI repository to use for resource bundle reference.
                                    The repository can be overridden per Attestor or Attestation.
                                  type: string
                              type: object
                            message:
                              description: Message specifies a custom message to be
                                displayed on failure.
                              type: string
                            pattern:
                              description: Pattern specifies an overlay-style pattern
                                used to check resources.
                              x-kubernetes-preserve-unknown-fields: true
                            podSecurity:
                              description: |-
                                PodSecurity applies exemptions for Kubernetes Pod Security admission
                                by specifying exclusions for Pod Security Standards controls.
                              properties:
                                exclude:
                                  description: Exclude specifies the Pod Security
                                    Standard controls to be excluded.
                                  items:
                                    description: PodSecurityStandard specifies the
                                      Pod Security Standard controls to be excluded.
                                    properties:
                                      controlName:
                                        description: |-
                                          ControlName specifies the name of the Pod Security Standard control.
                                          See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
                                        enum:
                                        - HostProcess
                                        - Host Namespaces
                                        - Privileged Containers
                                        - Capabilities
                                        - HostPath Volumes
                                        - Host Ports
                                        - AppArmor
                                        - SELinux
                                        - /proc Mount Type
                                        - Seccomp
                                        - Sysctls
                                        - Volume Types
                                        - Privilege Escalation
                                        - Running as Non-root
                                        - Running as Non-root user
                                        type: string
                                      images:
                                        description: |-
                                          Images selects matching containers and applies the container level PSS.
                                          Each image is the image name consisting of the registry address, repository, image, and tag.
                                          Empty list matches no containers, PSS checks are applied at the pod level only.
                                          Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                                        items:
                                          type: string
                                        type: array
                                      restrictedField:
                                        description: |-
                                          RestrictedField selects the field for the given Pod Security Standard control.
                                          When not set, all restricted fields for the control are selected.
                                        type: string
                                      values:
                                        description: Values defines the allowed values
                                          that can be excluded.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - controlName
                                    type: object
                                  type: array
                                level:
                                  description: |-
                                    Level defines the Pod Security Standard level to be applied to workloads.
                                    Allowed values are privileged, baseline, and restricted.
                                  enum:
                                  - privileged
                                  - baseline
                                  - restricted
                                  type: string
                                version:
                                  description: |-
                                    Version defines the Pod Security Standard versions that Kubernetes supports.
                                    Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
                                  enum:
                                  - v1.19
                                  - v1.20
                                  - v1.21
                                  - v1.22
                                  - v1.23
                                  - v1.24
                                  - v1.25
                                  - v1.26
                                  - v1.27
                                  - v1.28
                                  - v1.29
                                  - latest
                                  type: string
                              type: object
                            validationFailureAction:
                              description: |-
                                ValidationFailureAction defines if a validation policy rule violation should block
                                the admission review request (enforce), or allow (audit) the admission review request
                                and report an error in a policy report. Optional.
                                Allowed values are audit or enforce.
                              enum:
                              - audit
                              - enforce
                              - Audit
                              - Enforce
                              type: string
                            validationFailureActionOverrides:
                              description: |-
                                ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
                                namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
                              items:
                                properties:
                                  action:
                                    description: ValidationFailureAction defines the
                                      policy validation failure action
                                    enum:
                                    - audit
                                    - enforce
                                    - Audit
                                    - Enforce
                                    type: string
                                  namespaceSelector:
                                    description: |-
                                      A label selector is a label query over a set of resources. The result of matchLabels and
                                      matchExpressions are ANDed. An empty label selector matches all objects. A null
                                      label selector matches no objects.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    items:
                                      type: string
                                    type: array
                                type: object
                              type: array
                          type: object
                        verifyImages:
                          description: VerifyImages is used to verify image signatures
                            and mutate them to add a digest
                          items:
                            description: |-
                              ImageVerification validates that images that match the specified pattern
                              are signed with the supplied public key. Once the image is verified it is
                              mutated to include the SHA digest retrieved during the registration.
                            properties:
                              additionalExtensions:
                                additionalProperties:
                                  type: string
                                description: Deprecated.
                                type: object
                              annotations:
                                additionalProperties:
                                  type: string
                                description: Deprecated. Use annotations per Attestor
                                  instead.
                                type: object
                              attestations:
                                description: |-
                                  Attestations are optional checks for signed in-toto Statements used to verify the image.
                                  See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
                                  OCI registry and decodes them into a list of Statement declarations.
                                items:
                                  description: |-
                                    Attestation are checks for signed in-toto Statements that are used to verify the image.
                                    See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
                                    OCI registry and decodes them into a list of Statements.
                                  properties:
                                    attestors:
                                      description: Attestors specify the required
                                        attestors (i.e. authorities).
                                      items:
                                        properties:
                                          count:
                                            description: |-
                                              Count specifies the required number of entries that must match. If the count is null, all entries must match
                                              (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                              value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                            minimum: 1
                                            type: integer
                                          entries:
                                            description: |-
                                              Entries contains the available attestors. An attestor can be a static key,
                                              attributes for keyless verification, or a nested attestor declaration.
                                            items:
                                              properties:
                                                annotations:
                                                  additionalProperties:
                                                    type: string
                                                  description: |-
                                                    Annotations are used for image verification.
                                                    Every specified key-value pair must exist and match in the verified payload.
                                                    The payload may contain other key-value pairs.
                                                  type: object
                                                attestor:
                                                  description: Attestor is a nested
                                                    set of Attestor used to specify
                                                    a more complex set of match authorities.
                                                  x-kubernetes-preserve-unknown-fields: true
                                                certificates:
                                                  description: Certificates specifies
                                                    one or more certificates.
                                                  properties:
                                                    cert:
                                                      description: Cert is an optional
                                                        PEM-encoded public certificate.
                                                      type: string
                                                    certChain:
                                                      description: CertChain is an
                                                        optional PEM encoded set of
                                                        certificates used to verify.
                                                      type: string
                                                    ctlog:
                                                      description: |-
                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: |-
                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                            timestamp. Default is false. Set to true if this was opted out during signing.
                                                          type: boolean
                                                        pubkey:
                                                          description: PubKey, if
                                                            set, is used to validate
                                                            SCTs against a custom
                                                            source.
                                                          type: string
                                                        tsaCertChain:
                                                          description: |-
                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                            may contain the leaf TSA certificate if not present in the timestamurce.
                                                          type: string
                                                      type: object
                                                    rekor:
                                                      description: |-
                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                      properties:
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skips transparency log
                                                            verification.
                                                          type: boolean
                                                        pubkey:
                                                          description: |-
                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            Rekor log instance https://rekor.sigstore.dev.
                                                          type: string
                                                      type: object
                                                  type: object
                                                keyless:
                                                  description: |-
                                                    Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                                    See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                                  properties:
                                                    additionalExtensions:
                                                      additionalProperties:
                                                        type: string
                                                      description: AdditionalExtensions
                                                        are certificate-extensions
                                                        used for keyless signing.
                                                      type: object
                                                    ctlog:
                                                      description: |-
                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: |-
                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                            timestamp. Default is false. Set to true if this was opted out during signing.
                                                          type: boolean
                                                        pubkey:
                                                          description: PubKey, if
                                                            set, is used to validate
                                                            SCTs against a custom
                                                            source.
                                                          type: string
                                                        tsaCertChain:
                                                          description: |-
                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                            may contain the leaf TSA certificate if not present in the timestamurce.
                                                          type: string
                                                      type: object
                                                    issuer:
                                                      description: Issuer is the certificate
                                                        issuer used for keyless signing.
                                                      type: string
                                                    rekor:
                                                      description: |-
                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                      properties:
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skips transparency log
                                                            verification.
                                                          type: boolean
                                                        pubkey:
                                                          description: |-
                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            Rekor log instance https://rekor.sigstore.dev.
                                                          type: string
                                                      type: object
                                                    roots:
                                                      description: |-
                                                        Roots is an optional set of PEM encoded trusted root certificates.
                                                        If not provided, the system roots are used.
                                                      type: string
                                                    subject:
                                                      description: Subject is the
                                                        verified identity used for
                                                        keyless signing, for example
                                                        the email address.
                                                      type: string
                                                  type: object
                                                keys:
                                                  description: Keys specifies one
                                                    or more public keys.
                                                  properties:
                                                    ctlog:
                                                      description: |-
                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: |-
                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                            timestamp. Default is false. Set to true if this was opted out during signing.
                                                          type: boolean
                                                        pubkey:
                                                          description: PubKey, if
                                                            set, is used to validate
                                                            SCTs against a custom
                                                            source.
                                                          type: string
                                                        tsaCertChain:
                                                          description: |-
                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                            may contain the leaf TSA certificate if not present in the timestamurce.
                                                          type: string
                                                      type: object
                                                    kms:
                                                      description: |-
                                                        KMS provides the URI to the public key stored in a Key Management System. See:
                                                        https://github.com/sigstore/cosign/blob/main/KMS.md
                                                      type: string
                                                    publicKeys:
                                                      description: |-
                                                        Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                                        specified or can be a variable reference to a key specified in a ConfigMap (see
                                                        https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                                        elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                        The named Secret must specify a key `cosign.pub` containing the public key used for
                                                        verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                        When multiple keys are specified each key is processed as a separate staticKey entry
                                                        (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                                      type: string
                                                    rekor:
                                                      description: |-
                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                      properties:
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skips transparency log
                                                            verification.
                                                          type: boolean
                                                        pubkey:
                                                          description: |-
                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            Rekor log instance https://rekor.sigstore.dev.
                                                          type: string
                                                      type: object
                                                    secret:
                                                      description: Reference to a
                                                        Secret resource that contains
                                                        a public key
                                                      properties:
                                                        name:
                                                          description: Name of the
                                                            secret. The provided secret
                                                            must contain a key named
                                                            cosign.pub.
                                                          type: string
                                                        namespace:
                                                          description: Namespace name
                                                            where the Secret exists.
                                                          type: string
                                                      required:
                                                      - name
                                                      - namespace
                                                      type: object
                                                    signatureAlgorithm:
                                                      default: sha256
                                                      description: Specify signature
                                                        algorithm for public keys.
                                                        Supported values are sha224,
                                                        sha256, sha384 and sha512.
                                                      type: string
                                                  type: object
                                                repository:
                                                  description: |-
                                                    Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                                    If specified Repository will override other OCI image repository locations for this Attestor.
                                                  type: string
                                              type: object
                                            type: array
                                        type: object
                                      type: array
                                    conditions:
                                      description: |-
                                        Conditions are used to verify attributes within a Predicate. If no Conditions are specified
                                        the attestation check is satisfied as long there are predicates that match the predicate type.
                                      items:
                                        description: |-
                                          AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
                                          AnyConditions get fulfilled when at least one of its sub-conditions passes.
                                          AllConditions get fulfilled only when all of its sub-conditions pass.
                                        properties:
                                          all:
                                            description: |-
                                              AllConditions enable variable-based conditional rule execution. This is useful for
                                              finer control of when an rule is applied. A condition can reference object data
                                              using JMESPath notation.
                                              Here, all of the conditions need to pass
                                            items:
                                              description: Condition defines variable-based
                                                conditional criteria for rule execution.
                                              properties:
                                                key:
                                                  description: Key is the context
                                                    entry (using JMESPath) for conditional
                                                    rule evaluation.
                                                  x-kubernetes-preserve-unknown-fields: true
                                                message:
                                                  description: Message is an optional
                                                    display message
                                                  type: string
                                                operator:
                                                  description: |-
                                                    Operator is the conditional operation to perform. Valid operators are:
                                                    Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                    GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                    DurationLessThanOrEquals, DurationLessThan
                                                  enum:
                                                  - Equals
                                                  - NotEquals
                                                  - In
                                                  - AnyIn
                                                  - AllIn
                                                  - NotIn
                                                  - AnyNotIn
                                                  - AllNotIn
                                                  - GreaterThanOrEquals
                                                  - GreaterThan
                                                  - LessThanOrEquals
                                                  - LessThan
                                                  - DurationGreaterThanOrEquals
                                                  - DurationGreaterThan
                                                  - DurationLessThanOrEquals
                                                  - DurationLessThan
                                                  type: string
                                                value:
                                                  description: |-
                                                    Value is the conditional value, or set of values. The values can be fixed set
                                                    or can be variables declared using JMESPath.
                                                  x-kubernetes-preserve-unknown-fields: true
                                              type: object
                                            type: array
                                          any:
                                            description: |-
                                              AnyConditions enable variable-based conditional rule execution. This is useful for
                                              finer control of when an rule is applied. A condition can reference object data
                                              using JMESPath notation.
                                              Here, at least one of the conditions need to pass
                                            items:
                                              description: Condition defines variable-based
                                                conditional criteria for rule execution.
                                              properties:
                                                key:
                                                  description: Key is the context
                                                    entry (using JMESPath) for conditional
                                                    rule evaluation.
                                                  x-kubernetes-preserve-unknown-fields: true
                                                message:
                                                  description: Message is an optional
                                                    display message
                                                  type: string
                                                operator:
                                                  description: |-
                                                    Operator is the conditional operation to perform. Valid operators are:
                                                    Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                    GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                    DurationLessThanOrEquals, DurationLessThan
                                                  enum:
                                                  - Equals
                                                  - NotEquals
                                                  - In
                                                  - AnyIn
                                                  - AllIn
                                                  - NotIn
                                                  - AnyNotIn
                                                  - AllNotIn
                                                  - GreaterThanOrEquals
                                                  - GreaterThan
                                                  - LessThanOrEquals
                                                  - LessThan
                                                  - DurationGreaterThanOrEquals
                                                  - DurationGreaterThan
                                                  - DurationLessThanOrEquals
                                                  - DurationLessThan
                                                  type: string
                                                value:
                                                  description: |-
                                                    Value is the conditional value, or set of values. The values can be fixed set
                                                    or can be variables declared using JMESPath.
                                                  x-kubernetes-preserve-unknown-fields: true
                                              type: object
                                            type: array
                                        type: object
                                      type: array
                                    predicateType:
                                      description: Deprecated in favour of 'Type',
                                        to be removed soon
                                      type: string
                                    type:
                                      description: Type defines the type of attestation
                                        contained within the Statement.
                                      type: string
                                  type: object
                                type: array
                              attestors:
                                description: Attestors specified the required attestors
                                  (i.e. authorities)
                                items:
                                  properties:
                                    count:
                                      description: |-
                                        Count specifies the required number of entries that must match. If the count is null, all entries must match
                                        (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                        value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                      minimum: 1
                                      type: integer
                                    entries:
                                      description: |-
                                        Entries contains the available attestors. An attestor can be a static key,
                                        attributes for keyless verification, or a nested attestor declaration.
                                      items:
                                        properties:
                                          annotations:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              Annotations are used for image verification.
                                              Every specified key-value pair must exist and match in the verified payload.
                                              The payload may contain other key-value pairs.
                                            type: object
                                          attestor:
                                            description: Attestor is a nested set
                                              of Attestor used to specify a more complex
                                              set of match authorities.
                                            x-kubernetes-preserve-unknown-fields: true
                                          certificates:
                                            description: Certificates specifies one
                                              or more certificates.
                                            properties:
                                              cert:
                                                description: Cert is an optional PEM-encoded
                                                  public certificate.
                                                type: string
                                              certChain:
                                                description: CertChain is an optional
                                                  PEM encoded set of certificates
                                                  used to verify.
                                                type: string
                                              ctlog:
                                                description: |-
                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: |-
                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                      timestamp. Default is false. Set to true if this was opted out during signing.
                                                    type: boolean
                                                  pubkey:
                                                    description: PubKey, if set, is
                                                      used to validate SCTs against
                                                      a custom source.
                                                    type: string
                                                  tsaCertChain:
                                                    description: |-
                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                      may contain the leaf TSA certificate if not present in the timestamurce.
                                                    type: string
                                                type: object
                                              rekor:
                                                description: |-
                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                properties:
                                                  ignoreTlog:
                                                    description: IgnoreTlog skips
                                                      transparency log verification.
                                                    type: boolean
                                                  pubkey:
                                                    description: |-
                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public Rekor log instance
                                                      https://rekor.sigstore.dev.
                                                    type: string
                                                type: object
                                            type: object
                                          keyless:
                                            description: |-
                                              Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                              See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                            properties:
                                              additionalExtensions:
                                                additionalProperties:
                                                  type: string
                                                description: AdditionalExtensions
                                                  are certificate-extensions used
                                                  for keyless signing.
                                                type: object
                                              ctlog:
                                                description: |-
                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: |-
                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                      timestamp. Default is false. Set to true if this was opted out during signing.
                                                    type: boolean
                                                  pubkey:
                                                    description: PubKey, if set, is
                                                      used to validate SCTs against
                                                      a custom source.
                                                    type: string
                                                  tsaCertChain:
                                                    description: |-
                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                      may contain the leaf TSA certificate if not present in the timestamurce.
                                                    type: string
                                                type: object
                                              issuer:
                                                description: Issuer is the certificate
                                                  issuer used for keyless signing.
                                                type: string
                                              rekor:
                                                description: |-
                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                properties:
                                                  ignoreTlog:
                                                    description: IgnoreTlog skips
                                                      transparency log verification.
                                                    type: boolean
                                                  pubkey:
                                                    description: |-
                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public Rekor log instance
                                                      https://rekor.sigstore.dev.
                                                    type: string
                                                type: object
                                              roots:
                                                description: |-
                                                  Roots is an optional set of PEM encoded trusted root certificates.
                                                  If not provided, the system roots are used.
                                                type: string
                                              subject:
                                                description: Subject is the verified
                                                  identity used for keyless signing,
                                                  for example the email address.
                                                type: string
                                            type: object
                                          keys:
                                            description: Keys specifies one or more
                                              public keys.
                                            properties:
                                              ctlog:
                                                description: |-
                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: |-
                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                      timestamp. Default is false. Set to true if this was opted out during signing.
                                                    type: boolean
                                                  pubkey:
                                                    description: PubKey, if set, is
                                                      used to validate SCTs against
                                                      a custom source.
                                                    type: string
                                                  tsaCertChain:
                                                    description: |-
                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                      may contain the leaf TSA certificate if not present in the timestamurce.
                                                    type: string
                                                type: object
                                              kms:
                                                description: |-
                                                  KMS provides the URI to the public key stored in a Key Management System. See:
                                                  https://github.com/sigstore/cosign/blob/main/KMS.md
                                                type: string
                                              publicKeys:
                                                description: |-
                                                  Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                                  specified or can be a variable reference to a key specified in a ConfigMap (see
                                                  https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                                  elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                  The named Secret must specify a key `cosign.pub` containing the public key used for
                                                  verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                  When multiple keys are specified each key is processed as a separate staticKey entry
                                                  (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                                type: string
                                              rekor:
                                                description: |-
                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                properties:
                                                  ignoreTlog:
                                                    description: IgnoreTlog skips
                                                      transparency log verification.
                                                    type: boolean
                                                  pubkey:
                                                    description: |-
                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public Rekor log instance
                                                      https://rekor.sigstore.dev.
                                                    type: string
                                                type: object
                                              secret:
                                                description: Reference to a Secret
                                                  resource that contains a public
                                                  key
                                                properties:
                                                  name:
                                                    description: Name of the secret.
                                                      The provided secret must contain
                                                      a key named cosign.pub.
                                                    type: string
                                                  namespace:
                                                    description: Namespace name where
                                                      the Secret exists.
                                                    type: string
                                                required:
                                                - name
                                                - namespace
                                                type: object
                                              signatureAlgorithm:
                                                default: sha256
                                                description: Specify signature algorithm
                                                  for public keys. Supported values
                                                  are sha224, sha256, sha384 and sha512.
                                                type: string
                                            type: object
                                          repository:
                                            description: |-
                                              Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                              If specified Repository will override other OCI image repository locations for this Attestor.
                                            type: string
                                        type: object
                                      type: array
                                  type: object
                                type: array
                              cosignOCI11:
                                description: |-
                                  CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
                                  Defaults to false.
                                type: boolean
                              image:
                                description: Deprecated. Use ImageReferences instead.
                                type: string
                              imageReferences:
                                description: |-
                                  ImageReferences is a list of matching image reference patterns. At least one pattern in the
                                  list must match the image for the rule to apply. Each image reference consists of a registry
                                  address (defaults to docker.io), repository, image, and tag (defaults to latest).
                                  Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                                items:
                                  type: string
                                type: array
                              imageRegistryCredentials:
                                description: ImageRegistryCredentials provides credentials
                                  that will be used for authentication with registry.
                                properties:
                                  allowInsecureRegistry:
                                    description: AllowInsecureRegistry allows insecure
                                      access to a registry.
                                    type: boolean
                                  providers:
                                    description: |-
                                      Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                      It can be of one of these values: default,google,azure,amazon,github.
                                    items:
                                      description: ImageRegistryCredentialsProvidersType
                                        provides the list of credential providers
                                        required.
                                      enum:
                                      - default
                                      - amazon
                                      - azure
                                      - google
                                      - github
                                      type: string
                                    type: array
                                  secrets:
                                    description: |-
                                      Secrets specifies a list of secrets that are provided for credentials.
                                      Secrets must live in the Kyverno namespace.
                                    items:
                                      type: string
                                    type: array
                                type: object
                              issuer:
                                description: Deprecated. Use KeylessAttestor instead.
                                type: string
                              key:
                                description: Deprecated. Use StaticKeyAttestor instead.
                                type: string
                              mutateDigest:
                                default: true
                                description: |-
                                  MutateDigest enables replacement of image tags with digests.
                                  Defaults to true.
                                type: boolean
                              repository:
                                description: |-
                                  Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
                                  If specified Repository will override the default OCI image repository configured for the installation.
                                  The repository can also be overridden per Attestor or Attestation.
                                type: string
                              required:
                                default: true
                                description: Required validates that images are verified
                                  i.e. have matched passed a signature or attestation
                                  check.
                                type: boolean
                              roots:
                                description: Deprecated. Use KeylessAttestor instead.
                                type: string
                              skipImageReferences:
                                description: |-
                                  SkipImageReferences is a list of matching image reference patterns that should be skipped.
                                  At least one pattern in the list must match the image for the rule to be skipped. Each image reference
                                  consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
                                  Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                                items:
                                  type: string
                                type: array
                              subject:
                                description: Deprecated. Use KeylessAttestor instead.
                                type: string
                              type:
                                description: |-
                                  Type specifies the method of signature validation. The allowed options
                                  are Cosign and Notary. By default Cosign is used if a type is not specified.
                                enum:
                                - Cosign
                                - Notary
                                type: string
                              useCache:
                                default: true
                                description: UseCache enables caching of image verify
                                  responses for this rule.
                                type: boolean
                              verifyDigest:
                                default: true
                                description: VerifyDigest validates that images have
                                  a digest.
                                type: boolean
                            type: object
                          type: array
                      required:
                      - name
                      type: object
                    type: array
                type: object
              conditions:
                items:
                  description: "Condition contains details for one aspect of the current
                    state of this API Resource.\n---\nThis struct is intended for
                    direct use as an array at the field path .status.conditions.  For
                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
                    observations of a foo's current state.\n\t    // Known .status.conditions.type
                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
                    \   // other fields\n\t}"
                  properties:
                    lastTransitionTime:
                      description: |-
                        lastTransitionTime is the last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
                        message is a human readable message indicating details about the transition.
                        This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
                      description: |-
                        observedGeneration represents the .metadata.generation that the condition was set based upon.
                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
                        with respect to the current state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
                      description: |-
                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
                        Producers of specific condition types may define expected values and meanings for this field,
                        and whether the values are considered a guaranteed API.
                        The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
                      enum:
                      - "True"
                      - "False"
                      - Unknown
                      type: string
                    type:
                      description: |-
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        ---
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
                        useful (see .node.status.conditions), the ability to deconflict is important.
                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
                  required:
                  - lastTransitionTime
                  - message
                  - reason
                  - status
                  - type
                  type: object
                type: array
              ready:
                description: Deprecated in favor of Conditions
                type: boolean
              rulecount:
                description: |-
                  RuleCountStatus contains four variables which describes counts for
                  validate, generate, mutate and verify images rules
                properties:
                  generate:
                    description: Count for generate rules in policy
                    type: integer
                  mutate:
                    description: Count for mutate rules in policy
                    type: integer
                  validate:
                    description: Count for validate rules in policy
                    type: integer
                  verifyimages:
                    description: Count for verify image rules in policy
                    type: integer
                required:
                - generate
                - mutate
                - validate
                - verifyimages
                type: object
              validatingadmissionpolicy:
                description: ValidatingAdmissionPolicy contains status information
                properties:
                  generated:
                    description: Generated indicates whether a validating admission
                      policy is generated from the policy or not
                    type: boolean
                  message:
                    description: |-
                      Message is a human readable message indicating details about the generation of validating admission policy
                      It is an empty string when validating admission policy is successfully generated.
                    type: string
                required:
                - generated
                - message
                type: object
            required:
            - ready
            type: object
        required:
        - spec
        type: object
    served: true
    storage: false
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: kyverno-crds
    app.kubernetes.io/version: v0.0.0
    helm.sh/chart: crds-v0.0.0
  annotations:
    controller-gen.kubebuilder.io/version: v0.15.0
  name: globalcontextentries.kyverno.io
spec:
  group: kyverno.io
  names:
    categories:
    - kyverno
    kind: GlobalContextEntry
    listKind: GlobalContextEntryList
    plural: globalcontextentries
    shortNames:
    - gctxentry
    singular: globalcontextentry
  scope: Cluster
  versions:
  - additionalPrinterColumns:
    - jsonPath: .status.conditions[?(@.type == "Ready")].status
      name: READY
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: AGE
      type: date
    - jsonPath: .spec.apiCall.refreshInterval
      name: REFRESH INTERVAL
      type: string
    - jsonPath: .status.lastRefreshTime
      name: LAST REFRESH
      type: date
    name: v2alpha1
    schema:
      openAPIV3Schema:
        description: GlobalContextEntry declares resources to be cached.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: Spec declares policy exception behaviors.
            properties:
              apiCall:
                description: |-
                  Stores results from an API call which will be cached.
                  Mutually exclusive with KubernetesResource.
                  This can be used to make calls to external (non-Kubernetes API server) services.
                  It can also be used to make calls to the Kubernetes API server in such cases:
                  1. A POST is needed to create a resource.
                  2. Finer-grained control is needed. Example: To restrict the number of resources cached.
                properties:
                  data:
                    description: |-
                      The data object specifies the POST data sent to the server.
                      Only applicable when the method field is set to POST.
                    items:
                      description: RequestData contains the HTTP POST data
                      properties:
                        key:
                          description: Key is a unique identifier for the data value
                          type: string
                        value:
                          description: Value is the data value
                          x-kubernetes-preserve-unknown-fields: true
                      required:
                      - key
                      - value
                      type: object
                    type: array
                  method:
                    default: GET
                    description: Method is the HTTP request type (GET or POST). Defaults
                      to GET.
                    enum:
                    - GET
                    - POST
                    type: string
                  refreshInterval:
                    default: 10m
                    description: |-
                      RefreshInterval defines the interval in duration at which to poll the APICall.
                      The duration is a sequence of decimal numbers, each with optional fraction and a unit suffix,
                      such as "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
                    format: duration
                    type: string
                  service:
                    description: |-
                      Service is an API call to a JSON web service.
                      This is used for non-Kubernetes API server calls.
                      It's mutually exclusive with the URLPath field.
                    properties:
                      caBundle:
                        description: |-
                          CABundle is a PEM encoded CA bundle which will be used to validate
                          the server certificate.
                        type: string
                      url:
                        description: |-
                          URL is the JSON web service URL. A typical form is
                          `https://{service}.{namespace}:{port}/{path}`.
                        type: string
                    required:
                    - url
                    type: object
                  urlPath:
                    description: |-
                      URLPath is the URL path to be used in the HTTP GET or POST request to the
                      Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                      The format required is the same format used by the `kubectl get --raw` command.
                      See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                      for details.
                      It's mutually exclusive with the Service field.
                    type: string
                type: object
              kubernetesResource:
                description: |-
                  Stores a list of Kubernetes resources which will be cached.
                  Mutually exclusive with APICall.
                properties:
                  group:
                    description: Group defines the group of the resource.
                    type: string
                  namespace:
                    description: |-
                      Namespace defines the namespace of the resource. Leave empty for cluster scoped resources.
                      If left empty for namespaced resources, all resources from all namespaces will be cached.
                    type: string
                  resource:
                    description: |-
                      Resource defines the type of the resource.
                      Requires the pluralized form of the resource kind in lowercase. (Ex., "deployments")
                    type: string
                  version:
                    description: Version defines the version of the resource.
                    type: string
                required:
                - group
                - resource
                - version
                type: object
            type: object
          status:
            description: Status contains globalcontextentry runtime data.
            properties:
              conditions:
                items:
                  description: "Condition contains details for one aspect of the current
                    state of this API Resource.\n---\nThis struct is intended for
                    direct use as an array at the field path .status.conditions.  For
                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
                    observations of a foo's current state.\n\t    // Known .status.conditions.type
                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
                    \   // other fields\n\t}"
                  properties:
                    lastTransitionTime:
                      description: |-
                        lastTransitionTime is the last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
                        message is a human readable message indicating details about the transition.
                        This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
                      description: |-
                        observedGeneration represents the .metadata.generation that the condition was set based upon.
                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
                        with respect to the current state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
                      description: |-
                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
                        Producers of specific condition types may define expected values and meanings for this field,
                        and whether the values are considered a guaranteed API.
                        The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
                      enum:
                      - "True"
                      - "False"
                      - Unknown
                      type: string
                    type:
                      description: |-
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        ---
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
                        useful (see .node.status.conditions), the ability to deconflict is important.
                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
                  required:
                  - lastTransitionTime
                  - message
                  - reason
                  - status
                  - type
                  type: object
                type: array
              lastRefreshTime:
                description: Indicates the time when the globalcontextentry was last
                  refreshed successfully for the API Call
                format: date-time
                type: string
              ready:
                description: Deprecated in favor of Conditions
                type: boolean
            required:
            - ready
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: kyverno-crds
    app.kubernetes.io/version: v0.0.0
    helm.sh/chart: crds-v0.0.0
  annotations:
    controller-gen.kubebuilder.io/version: v0.15.0
  name: policies.kyverno.io
spec:
  group: kyverno.io
  names:
    categories:
    - kyverno
    kind: Policy
    listKind: PolicyList
    plural: policies
    shortNames:
    - pol
    singular: policy
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - jsonPath: .spec.admission
      name: ADMISSION
      type: boolean
    - jsonPath: .spec.background
      name: BACKGROUND
      type: boolean
    - jsonPath: .spec.validationFailureAction
      name: VALIDATE ACTION
      type: string
    - jsonPath: .status.conditions[?(@.type == "Ready")].status
      name: READY
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: AGE
      type: date
    - jsonPath: .spec.failurePolicy
      name: FAILURE POLICY
      priority: 1
      type: string
    - jsonPath: .status.rulecount.validate
      name: VALIDATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.mutate
      name: MUTATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.generate
      name: GENERATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.verifyimages
      name: VERIFY IMAGES
      priority: 1
      type: integer
    - jsonPath: .status.conditions[?(@.type == "Ready")].message
      name: MESSAGE
      type: string
    name: v1
    schema:
      openAPIV3Schema:
        description: |-
          Policy declares validation, mutation, and generation behaviors for matching resources.
          See: https://kyverno.io/docs/writing-policies/ for more information.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: Spec defines policy behaviors and contains one or more rules.
            properties:
              admission:
                default: true
                description: |-
                  Admission controls if rules are applied during admission.
                  Optional. Default value is "true".
                type: boolean
              applyRules:
                description: |-
                  ApplyRules controls how rules in a policy are applied. Rule are processed in
                  the order of declaration. When set to `One` processing stops after a rule has
                  been applied i.e. the rule matches and results in a pass, fail, or error. When
                  set to `All` all rules in the policy are processed. The default is `All`.
                enum:
                - All
                - One
                type: string
              background:
                default: true
                description: |-
                  Background controls if rules are applied to existing resources during a background scan.
                  Optional. Default value is "true". The value must be set to "false" if the policy rule
                  uses variables that are only available in the admission review request (e.g. user name).
                type: boolean
              failurePolicy:
                description: Deprecated, use failurePolicy under the webhookConfiguration
                  instead.
                enum:
                - Ignore
                - Fail
                type: string
              generateExisting:
                description: Deprecated, use generateExisting under the generate rule
                  instead
                type: boolean
              generateExistingOnPolicyUpdate:
                description: Deprecated, use generateExisting instead
                type: boolean
              mutateExistingOnPolicyUpdate:
                description: Deprecated, use mutateExistingOnPolicyUpdate under the
                  mutate rule instead
                type: boolean
              rules:
                description: |-
                  Rules is a list of Rule instances. A Policy contains multiple rules and
                  each rule can validate, mutate, or generate resources.
                items:
                  description: |-
                    Rule defines a validation, mutation, or generation control for matching resources.
                    Each rules contains a match declaration to select resources, and an optional exclude
                    declaration to specify which resources to exclude.
                  properties:
                    celPreconditions:
                      description: |-
                        CELPreconditions are used to determine if a policy rule should be applied by evaluating a
                        set of CEL conditions. It can only be used with the validate.cel subrule
                      items:
                        description: MatchCondition represents a condition which must
                          by fulfilled for a request to be sent to a webhook.
                        properties:
                          expression:
                            description: |-
                              Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
                              CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:


                              'object' - The object from the incoming request. The value is null for DELETE requests.
                              'oldObject' - The existing object. The value is null for CREATE requests.
                              'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
                              'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
                                See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                              'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
                                request resource.
                              Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/


                              Required.
                            type: string
                          name:
                            description: |-
                              Name is an identifier for this match condition, used for strategic merging of MatchConditions,
                              as well as providing an identifier for logging purposes. A good name should be descriptive of
                              the associated expression.
                              Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
                              must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
                              '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
                              optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')


                              Required.
                            type: string
                        required:
                        - expression
                        - name
                        type: object
                      type: array
                    context:
                      description: Context defines variables and data sources that
                        can be used during rule execution.
                      items:
                        description: |-
                          ContextEntry adds variables and data sources to a rule Context. Either a
                          ConfigMap reference or a APILookup must be provided.
                        properties:
                          apiCall:
                            description: |-
                              APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                              The data returned is stored in the context with the name for the context entry.
                            properties:
                              data:
                                description: |-
                                  The data object specifies the POST data sent to the server.
                                  Only applicable when the method field is set to POST.
                                items:
                                  description: RequestData contains the HTTP POST
                                    data
                                  properties:
                                    key:
                                      description: Key is a unique identifier for
                                        the data value
                                      type: string
                                    value:
                                      description: Value is the data value
                                      x-kubernetes-preserve-unknown-fields: true
                                  required:
                                  - key
                                  - value
                                  type: object
                                type: array
                              jmesPath:
                                description: |-
                                  JMESPath is an optional JSON Match Expression that can be used to
                                  transform the JSON response returned from the server. For example
                                  a JMESPath of "items | length(@)" applied to the API server response
                                  for the URLPath "/apis/apps/v1/deployments" will return the total count
                                  of deployments across all namespaces.
                                type: string
                              method:
                                default: GET
                                description: Method is the HTTP request type (GET
                                  or POST). Defaults to GET.
                                enum:
                                - GET
                                - POST
                                type: string
                              service:
                                description: |-
                                  Service is an API call to a JSON web service.
                                  This is used for non-Kubernetes API server calls.
                                  It's mutually exclusive with the URLPath field.
                                properties:
                                  caBundle:
                                    description: |-
                                      CABundle is a PEM encoded CA bundle which will be used to validate
                                      the server certificate.
                                    type: string
                                  url:
                                    description: |-
                                      URL is the JSON web service URL. A typical form is
                                      `https://{service}.{namespace}:{port}/{path}`.
                                    type: string
                                required:
                                - url
                                type: object
                              urlPath:
                                description: |-
                                  URLPath is the URL path to be used in the HTTP GET or POST request to the
                                  Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                  The format required is the same format used by the `kubectl get --raw` command.
                                  See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                  for details.
                                  It's mutually exclusive with the Service field.
                                type: string
                            type: object
                          configMap:
                            description: ConfigMap is the ConfigMap reference.
                            properties:
                              name:
                                description: Name is the ConfigMap name.
                                type: string
                              namespace:
                                description: Namespace is the ConfigMap namespace.
                                type: string
                            required:
                            - name
                            type: object
                          globalReference:
                            description: GlobalContextEntryReference is a reference
                              to a cached global context entry.
                            properties:
                              jmesPath:
                                description: |-
                                  JMESPath is an optional JSON Match Expression that can be used to
                                  transform the JSON response returned from the server. For example
                                  a JMESPath of "items | length(@)" applied to the API server response
                                  for the URLPath "/apis/apps/v1/deployments" will return the total count
                                  of deployments across all namespaces.
                                type: string
                              name:
                                description: Name of the global context entry
                                type: string
                            type: object
                          imageRegistry:
                            description: |-
                              ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                              details.
                            properties:
                              imageRegistryCredentials:
                                description: ImageRegistryCredentials provides credentials
                                  that will be used for authentication with registry
                                properties:
                                  allowInsecureRegistry:
                                    description: AllowInsecureRegistry allows insecure
                                      access to a registry.
                                    type: boolean
                                  providers:
                                    description: |-
                                      Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                      It can be of one of these values: default,google,azure,amazon,github.
                                    items:
                                      description: ImageRegistryCredentialsProvidersType
                                        provides the list of credential providers
                                        required.
                                      enum:
                                      - default
                                      - amazon
                                      - azure
                                      - google
                                      - github
                                      type: string
                                    type: array
                                  secrets:
                                    description: |-
                                      Secrets specifies a list of secrets that are provided for credentials.
                                      Secrets must live in the Kyverno namespace.
                                    items:
                                      type: string
                                    type: array
                                type: object
                              jmesPath:
                                description: |-
                                  JMESPath is an optional JSON Match Expression that can be used to
                                  transform the ImageData struct returned as a result of processing
                                  the image reference.
                                type: string
                              reference:
                                description: |-
                                  Reference is image reference to a container image in the registry.
                                  Example: ghcr.io/kyverno/kyverno:latest
                                type: string
                            required:
                            - reference
                            type: object
                          name:
                            description: Name is the variable name.
                            type: string
                          variable:
                            description: Variable defines an arbitrary JMESPath context
                              variable that can be defined inline.
                            properties:
                              default:
                                description: |-
                                  Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                  expression evaluates to nil
                                x-kubernetes-preserve-unknown-fields: true
                              jmesPath:
                                description: |-
                                  JMESPath is an optional JMESPath Expression that can be used to
                                  transform the variable.
                                type: string
                              value:
                                description: Value is any arbitrary JSON object representable
                                  in YAML or JSON form.
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                        type: object
                      type: array
                    exclude:
                      description: |-
                        ExcludeResources defines when this policy rule should not be applied. The exclude
                        criteria can include resource information (e.g. kind, name, namespace, labels)
                        and admission review request information like the name or role.
                      properties:
                        all:
                          description: All allows specifying resources which will
                            be ANDed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: |-
                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                      and values support the wildcard characters "*" (matches zero or many characters) and
                                      "?" (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: |-
                                      Name is the name of the resource. The name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                      NOTE: "Name" is being deprecated in favor of "Names".
                                    type: string
                                  names:
                                    description: |-
                                      Names are the names of the resources. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: |-
                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                      and `?` (matches one character).Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                      does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: |-
                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: |-
                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                      characters `*` (matches zero or many characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: |-
                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                    or a value for non-objects such as user and group names.
                                  properties:
                                    apiGroup:
                                      description: |-
                                        APIGroup holds the API group of the referenced subject.
                                        Defaults to "" for ServiceAccount subjects.
                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                      type: string
                                    kind:
                                      description: |-
                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: |-
                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        any:
                          description: Any allows specifying resources which will
                            be ORed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: |-
                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                      and values support the wildcard characters "*" (matches zero or many characters) and
                                      "?" (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: |-
                                      Name is the name of the resource. The name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                      NOTE: "Name" is being deprecated in favor of "Names".
                                    type: string
                                  names:
                                    description: |-
                                      Names are the names of the resources. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: |-
                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                      and `?` (matches one character).Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                      does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: |-
                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: |-
                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                      characters `*` (matches zero or many characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: |-
                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                    or a value for non-objects such as user and group names.
                                  properties:
                                    apiGroup:
                                      description: |-
                                        APIGroup holds the API group of the referenced subject.
                                        Defaults to "" for ServiceAccount subjects.
                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                      type: string
                                    kind:
                                      description: |-
                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: |-
                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: |-
                            ResourceDescription contains information about the resource being created or modified.
                            Requires at least one tag to be specified when under MatchResources.
                            Specifying ResourceDescription directly under match is being deprecated.
                            Please specify under "any" or "all" instead.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    generate:
                      description: Generation is used to create new resources.
                      properties:
                        apiVersion:
                          description: APIVersion specifies resource apiVersion.
                          type: string
                        clone:
                          description: |-
                            Clone specifies the source resource used to populate each generated resource.
                            At most one of Data or Clone can be specified. If neither are provided, the generated
                            resource will be created with default data only.
                          properties:
                            name:
                              description: Name specifies name of the resource.
                              type: string
                            namespace:
                              description: Namespace specifies source resource namespace.
                              type: string
                          type: object
                        cloneList:
                          description: CloneList specifies the list of source resource
                            used to populate each generated resource.
                          properties:
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            namespace:
                              description: Namespace specifies source resource namespace.
                              type: string
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels`.
                                wildcard characters are not supported.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        data:
                          description: |-
                            Data provides the resource declaration used to populate each generated resource.
                            At most one of Data or Clone must be specified. If neither are provided, the generated
                            resource will be created with default data only.
                          x-kubernetes-preserve-unknown-fields: true
                        generateExisting:
                          description: |-
                            GenerateExisting controls whether to trigger the rule in existing resources
                            If is set to "true" the rule will be triggered and applied to existing matched resources.
                          type: boolean
                        kind:
                          description: Kind specifies resource kind.
                          type: string
                        name:
                          description: Name specifies the resource name.
                          type: string
                        namespace:
                          description: Namespace specifies resource namespace.
                          type: string
                        orphanDownstreamOnPolicyDelete:
                          description: |-
                            OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
                            them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
                            See https://kyverno.io/docs/writing-policies/generate/#data-examples.
                            Defaults to "false" if not specified.
                          type: boolean
                        synchronize:
                          description: |-
                            Synchronize controls if generated resources should be kept in-sync with their source resource.
                            If Synchronize is set to "true" changes to generated resources will be overwritten with resource
                            data from Data or the resource specified in the Clone declaration.
                            Optional. Defaults to "false" if not specified.
                          type: boolean
                        uid:
                          description: UID specifies the resource uid.
                          type: string
                      type: object
                    imageExtractors:
                      additionalProperties:
                        items:
                          properties:
                            jmesPath:
                              description: |-
                                JMESPath is an optional JMESPath expression to apply to the image value.
                                This is useful when the extracted image begins with a prefix like 'docker://'.
                                The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
                                Note - Image digest mutation may not be used when applying a JMESPAth to an image.
                              type: string
                            key:
                              description: |-
                                Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
                                Note - this field MUST be unique.
                              type: string
                            name:
                              description: |-
                                Name is the entry the image will be available under 'images.<name>' in the context.
                                If this field is not defined, image entries will appear under 'images.custom'.
                              type: string
                            path:
                              description: |-
                                Path is the path to the object containing the image field in a custom resource.
                                It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
                                Wildcard keys are expanded in case of arrays or objects.
                              type: string
                            value:
                              description: |-
                                Value is an optional name of the field within 'path' that points to the image URI.
                                This is useful when a custom 'key' is also defined.
                              type: string
                          required:
                          - path
                          type: object
                        type: array
                      description: |-
                        ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
                        This config is only valid for verifyImages rules.
                      type: object
                    match:
                      description: |-
                        MatchResources defines when this policy rule should be applied. The match
                        criteria can include resource information (e.g. kind, name, namespace, labels)
                        and admission review request information like the user name or role.
                        At least one kind is required.
                      properties:
                        all:
                          description: All allows specifying resources which will
                            be ANDed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: |-
                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                      and values support the wildcard characters "*" (matches zero or many characters) and
                                      "?" (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: |-
                                      Name is the name of the resource. The name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                      NOTE: "Name" is being deprecated in favor of "Names".
                                    type: string
                                  names:
                                    description: |-
                                      Names are the names of the resources. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: |-
                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                      and `?` (matches one character).Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                      does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: |-
                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: |-
                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                      characters `*` (matches zero or many characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: |-
                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                    or a value for non-objects such as user and group names.
                                  properties:
                                    apiGroup:
                                      description: |-
                                        APIGroup holds the API group of the referenced subject.
                                        Defaults to "" for ServiceAccount subjects.
                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                      type: string
                                    kind:
                                      description: |-
                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: |-
                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        any:
                          description: Any allows specifying resources which will
                            be ORed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: |-
                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                      and values support the wildcard characters "*" (matches zero or many characters) and
                                      "?" (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: |-
                                      Name is the name of the resource. The name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                      NOTE: "Name" is being deprecated in favor of "Names".
                                    type: string
                                  names:
                                    description: |-
                                      Names are the names of the resources. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: |-
                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                      and `?` (matches one character).Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                      does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: |-
                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: |-
                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                      characters `*` (matches zero or many characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: |-
                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                    or a value for non-objects such as user and group names.
                                  properties:
                                    apiGroup:
                                      description: |-
                                        APIGroup holds the API group of the referenced subject.
                                        Defaults to "" for ServiceAccount subjects.
                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                      type: string
                                    kind:
                                      description: |-
                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: |-
                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: |-
                            ResourceDescription contains information about the resource being created or modified.
                            Requires at least one tag to be specified when under MatchResources.
                            Specifying ResourceDescription directly under match is being deprecated.
                            Please specify under "any" or "all" instead.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    mutate:
                      description: Mutation is used to modify matching resources.
                      properties:
                        foreach:
                          description: ForEach applies mutation rules to a list of
                            sub-elements by creating a context for each entry in the
                            list and looping over it to apply the specified logic.
                          items:
                            description: ForEachMutation applies mutation rules to
                              a list of sub-elements by creating a context for each
                              entry in the list and looping over it to apply the specified
                              logic.
                            properties:
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: |-
                                    ContextEntry adds variables and data sources to a rule Context. Either a
                                    ConfigMap reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: |-
                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context with the name for the context entry.
                                      properties:
                                        data:
                                          description: |-
                                            The data object specifies the POST data sent to the server.
                                            Only applicable when the method field is set to POST.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST). Defaults to GET.
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: |-
                                            Service is an API call to a JSON web service.
                                            This is used for non-Kubernetes API server calls.
                                            It's mutually exclusive with the URLPath field.
                                          properties:
                                            caBundle:
                                              description: |-
                                                CABundle is a PEM encoded CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: |-
                                                URL is the JSON web service URL. A typical form is
                                                `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: |-
                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                            The format required is the same format used by the `kubectl get --raw` command.
                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                            It's mutually exclusive with the Service field.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    globalReference:
                                      description: GlobalContextEntryReference is
                                        a reference to a cached global context entry.
                                      properties:
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        name:
                                          description: Name of the global context
                                            entry
                                          type: string
                                      type: object
                                    imageRegistry:
                                      description: |-
                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry.
                                              type: boolean
                                            providers:
                                              description: |-
                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                It can be of one of these values: default,google,azure,amazon,github.
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: |-
                                                Secrets specifies a list of secrets that are provided for credentials.
                                                Secrets must live in the Kyverno namespace.
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the ImageData struct returned as a result of processing
                                            the image reference.
                                          type: string
                                        reference:
                                          description: |-
                                            Reference is image reference to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: |-
                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                            expression evaluates to nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JMESPath Expression that can be used to
                                            transform the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              foreach:
                                description: Foreach declares a nested foreach iterator
                                x-kubernetes-preserve-unknown-fields: true
                              list:
                                description: |-
                                  List specifies a JMESPath expression that results in one or more elements
                                  to which the validation logic is applied.
                                type: string
                              order:
                                description: |-
                                  Order defines the iteration order on the list.
                                  Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
                                enum:
                                - Ascending
                                - Descending
                                type: string
                              patchStrategicMerge:
                                description: |-
                                  PatchStrategicMerge is a strategic merge patch used to modify resources.
                                  See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                  and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                                x-kubernetes-preserve-unknown-fields: true
                              patchesJson6902:
                                description: |-
                                  PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
                                  See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                                type: string
                              preconditions:
                                description: |-
                                  AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
                                  set of conditions. The declaration can contain nested `any` or `all` statements.
                                  See: https://kyverno.io/docs/writing-policies/preconditions/
                                properties:
                                  all:
                                    description: |-
                                      AllConditions enable variable-based conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A condition can reference object data
                                      using JMESPath notation.
                                      Here, all of the conditions need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: |-
                                            Operator is the conditional operation to perform. Valid operators are:
                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: |-
                                            Value is the conditional value, or set of values. The values can be fixed set
                                            or can be variables declared using JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                  any:
                                    description: |-
                                      AnyConditions enable variable-based conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A condition can reference object data
                                      using JMESPath notation.
                                      Here, at least one of the conditions need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: |-
                                            Operator is the conditional operation to perform. Valid operators are:
                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: |-
                                            Value is the conditional value, or set of values. The values can be fixed set
                                            or can be variables declared using JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                type: object
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                        mutateExistingOnPolicyUpdate:
                          description: MutateExistingOnPolicyUpdate controls if the
                            mutateExisting rule will be applied on policy events.
                          type: boolean
                        patchStrategicMerge:
                          description: |-
                            PatchStrategicMerge is a strategic merge patch used to modify resources.
                            See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                          x-kubernetes-preserve-unknown-fields: true
                        patchesJson6902:
                          description: |-
                            PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
                            See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                          type: string
                        targets:
                          description: Targets defines the target resources to be
                            mutated.
                          items:
                            description: TargetResourceSpec defines targets for mutating
                              existing resources.
                            properties:
                              apiVersion:
                                description: APIVersion specifies resource apiVersion.
                                type: string
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: |-
                                    ContextEntry adds variables and data sources to a rule Context. Either a
                                    ConfigMap reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: |-
                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context with the name for the context entry.
                                      properties:
                                        data:
                                          description: |-
                                            The data object specifies the POST data sent to the server.
                                            Only applicable when the method field is set to POST.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST). Defaults to GET.
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: |-
                                            Service is an API call to a JSON web service.
                                            This is used for non-Kubernetes API server calls.
                                            It's mutually exclusive with the URLPath field.
                                          properties:
                                            caBundle:
                                              description: |-
                                                CABundle is a PEM encoded CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: |-
                                                URL is the JSON web service URL. A typical form is
                                                `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: |-
                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                            The format required is the same format used by the `kubectl get --raw` command.
                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                            It's mutually exclusive with the Service field.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    globalReference:
                                      description: GlobalContextEntryReference is
                                        a reference to a cached global context entry.
                                      properties:
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        name:
                                          description: Name of the global context
                                            entry
                                          type: string
                                      type: object
                                    imageRegistry:
                                      description: |-
                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry.
                                              type: boolean
                                            providers:
                                              description: |-
                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                It can be of one of these values: default,google,azure,amazon,github.
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: |-
                                                Secrets specifies a list of secrets that are provided for credentials.
                                                Secrets must live in the Kyverno namespace.
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the ImageData struct returned as a result of processing
                                            the image reference.
                                          type: string
                                        reference:
                                          description: |-
                                            Reference is image reference to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: |-
                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                            expression evaluates to nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JMESPath Expression that can be used to
                                            transform the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              kind:
                                description: Kind specifies resource kind.
                                type: string
                              name:
                                description: Name specifies the resource name.
                                type: string
                              namespace:
                                description: Namespace specifies resource namespace.
                                type: string
                              preconditions:
                                description: |-
                                  Preconditions are used to determine if a policy rule should be applied by evaluating a
                                  set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
                                  of conditions (without `any` or `all` statements is supported for backwards compatibility but
                                  will be deprecated in the next major release.
                                  See: https://kyverno.io/docs/writing-policies/preconditions/
                                x-kubernetes-preserve-unknown-fields: true
                              uid:
                                description: UID specifies the resource uid.
                                type: string
                            type: object
                          type: array
                      type: object
                    name:
                      description: Name is a label to identify the rule, It must be
                        unique within the policy.
                      maxLength: 63
                      type: string
                    preconditions:
                      description: |-
                        Preconditions are used to determine if a policy rule should be applied by evaluating a
                        set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
                        of conditions (without `any` or `all` statements is supported for backwards compatibility but
                        will be deprecated in the next major release.
                        See: https://kyverno.io/docs/writing-policies/preconditions/
                      x-kubernetes-preserve-unknown-fields: true
                    skipBackgroundRequests:
                      default: true
                      description: |-
                        SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
                        The default value is set to "true", it must be set to "false" to apply
                        generate and mutateExisting rules to those requests.
                      type: boolean
                    validate:
                      description: Validation is used to validate matching resources.
                      properties:
                        anyPattern:
                          description: |-
                            AnyPattern specifies list of validation patterns. At least one of the patterns
                            must be satisfied for the validation rule to succeed.
                          x-kubernetes-preserve-unknown-fields: true
                        cel:
                          description: CEL allows validation checks using the Common
                            Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
                          properties:
                            auditAnnotations:
                              description: AuditAnnotations contains CEL expressions
                                which are used to produce audit annotations for the
                                audit event of the API request.
                              items:
                                description: AuditAnnotation describes how to produce
                                  an audit annotation for an API request.
                                properties:
                                  key:
                                    description: |-
                                      key specifies the audit annotation key. The audit annotation keys of
                                      a ValidatingAdmissionPolicy must be unique. The key must be a qualified
                                      name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.


                                      The key is combined with the resource name of the
                                      ValidatingAdmissionPolicy to construct an audit annotation key:
                                      "{ValidatingAdmissionPolicy name}/{key}".


                                      If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
                                      and the same audit annotation key, the annotation key will be identical.
                                      In this case, the first annotation written with the key will be included
                                      in the audit event and all subsequent annotations with the same key
                                      will be discarded.


                                      Required.
                                    type: string
                                  valueExpression:
                                    description: |-
                                      valueExpression represents the expression which is evaluated by CEL to
                                      produce an audit annotation value. The expression must evaluate to either
                                      a string or null value. If the expression evaluates to a string, the
                                      audit annotation is included with the string value. If the expression
                                      evaluates to null or empty string the audit annotation will be omitted.
                                      The valueExpression may be no longer than 5kb in length.
                                      If the result of the valueExpression is more than 10kb in length, it
                                      will be truncated to 10kb.


                                      If multiple ValidatingAdmissionPolicyBinding resources match an
                                      API request, then the valueExpression will be evaluated for
                                      each binding. All unique values produced by the valueExpressions
                                      will be joined together in a comma-separated list.


                                      Required.
                                    type: string
                                required:
                                - key
                                - valueExpression
                                type: object
                              type: array
                            expressions:
                              description: Expressions is a list of CELExpression
                                types.
                              items:
                                description: Validation specifies the CEL expression
                                  which is used to apply the validation.
                                properties:
                                  expression:
                                    description: "Expression represents the expression
                                      which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
                                      expressions have access to the contents of the
                                      API request/response, organized into CEL variables
                                      as well as some other useful variables:\n\n\n-
                                      'object' - The object from the incoming request.
                                      The value is null for DELETE requests.\n- 'oldObject'
                                      - The existing object. The value is null for
                                      CREATE requests.\n- 'request' - Attributes of
                                      the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
                                      'params' - Parameter resource referred to by
                                      the policy binding being evaluated. Only populated
                                      if the policy has a ParamKind.\n- 'namespaceObject'
                                      - The namespace object that the incoming object
                                      belongs to. The value is null for cluster-scoped
                                      resources.\n- 'variables' - Map of composited
                                      variables, from its name to its lazily evaluated
                                      value.\n  For example, a variable named 'foo'
                                      can be accessed as 'variables.foo'.\n- 'authorizer'
                                      - A CEL Authorizer. May be used to perform authorization
                                      checks for the principal (user or service account)
                                      of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
                                      'authorizer.requestResource' - A CEL ResourceCheck
                                      constructed from the 'authorizer' and configured
                                      with the\n  request resource.\n\n\nThe `apiVersion`,
                                      `kind`, `metadata.name` and `metadata.generateName`
                                      are always accessible from the root of the\nobject.
                                      No other metadata properties are accessible.\n\n\nOnly
                                      property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
                                      are accessible.\nAccessible property names are
                                      escaped according to the following rules when
                                      accessed in the expression:\n- '__' escapes
                                      to '__underscores__'\n- '.' escapes to '__dot__'\n-
                                      '-' escapes to '__dash__'\n- '/' escapes to
                                      '__slash__'\n- Property names that exactly match
                                      a CEL RESERVED keyword escape to '__{keyword}__'.
                                      The keywords are:\n\t  \"true\", \"false\",
                                      \"null\", \"in\", \"as\", \"break\", \"const\",
                                      \"continue\", \"else\", \"for\", \"function\",
                                      \"if\",\n\t  \"import\", \"let\", \"loop\",
                                      \"package\", \"namespace\", \"return\".\nExamples:\n
                                      \ - Expression accessing a property named \"namespace\":
                                      {\"Expression\": \"object.__namespace__ > 0\"}\n
                                      \ - Expression accessing a property named \"x-prop\":
                                      {\"Expression\": \"object.x__dash__prop > 0\"}\n
                                      \ - Expression accessing a property named \"redact__d\":
                                      {\"Expression\": \"object.redact__underscores__d
                                      > 0\"}\n\n\nEquality on arrays with list type
                                      of 'set' or 'map' ignores element order, i.e.
                                      [1, 2] == [2, 1].\nConcatenation on arrays with
                                      x-kubernetes-list-type use the semantics of
                                      the list type:\n  - 'set': `X + Y` performs
                                      a union where the array positions of all elements
                                      in `X` are preserved and\n    non-intersecting
                                      elements in `Y` are appended, retaining their
                                      partial order.\n  - 'map': `X + Y` performs
                                      a merge where the array positions of all keys
                                      in `X` are preserved but the values\n    are
                                      overwritten by values in `Y` when the key sets
                                      of `X` and `Y` intersect. Elements in `Y` with\n
                                      \   non-intersecting keys are appended, retaining
                                      their partial order.\nRequired."
                                    type: string
                                  message:
                                    description: |-
                                      Message represents the message displayed when validation fails. The message is required if the Expression contains
                                      line breaks. The message must not contain line breaks.
                                      If unset, the message is "failed rule: {Rule}".
                                      e.g. "must be a URL with the host matching spec.host"
                                      If the Expression contains line breaks. Message is required.
                                      The message must not contain line breaks.
                                      If unset, the message is "failed Expression: {Expression}".
                                    type: string
                                  messageExpression:
                                    description: |-
                                      messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
                                      Since messageExpression is used as a failure message, it must evaluate to a string.
                                      If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
                                      If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
                                      as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
                                      that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
                                      the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
                                      messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
                                      Example:
                                      "object.x must be less than max ("+string(params.max)+")"
                                    type: string
                                  reason:
                                    description: |-
                                      Reason represents a machine-readable description of why this validation failed.
                                      If this is the first validation in the list to fail, this reason, as well as the
                                      corresponding HTTP response code, are used in the
                                      HTTP response to the client.
                                      The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
                                      If not set, StatusReasonInvalid is used in the response to the client.
                                    type: string
                                required:
                                - expression
                                type: object
                              type: array
                            paramKind:
                              description: ParamKind is a tuple of Group Kind and
                                Version.
                              properties:
                                apiVersion:
                                  description: |-
                                    APIVersion is the API group version the resources belong to.
                                    In format of "group/version".
                                    Required.
                                  type: string
                                kind:
                                  description: |-
                                    Kind is the API kind the resources belong to.
                                    Required.
                                  type: string
                              type: object
                              x-kubernetes-map-type: atomic
                            paramRef:
                              description: ParamRef references a parameter resource.
                              properties:
                                name:
                                  description: |-
                                    `name` is the name of the resource being referenced.


                                    `name` and `selector` are mutually exclusive properties. If one is set,
                                    the other must be unset.
                                  type: string
                                namespace:
                                  description: |-
                                    namespace is the namespace of the referenced resource. Allows limiting
                                    the search for params to a specific namespace. Applies to both `name` and
                                    `selector` fields.


                                    A per-namespace parameter may be used by specifying a namespace-scoped
                                    `paramKind` in the policy and leaving this field empty.


                                    - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
                                    field results in a configuration error.


                                    - If `paramKind` is namespace-scoped, the namespace of the object being
                                    evaluated for admission will be used when this field is left unset. Take
                                    care that if this is left empty the binding must not match any cluster-scoped
                                    resources, which will result in an error.
                                  type: string
                                parameterNotFoundAction:
                                  description: |-
                                    `parameterNotFoundAction` controls the behavior of the binding when the resource
                                    exists, and name or selector is valid, but there are no parameters
                                    matched by the binding. If the value is set to `Allow`, then no
                                    matched parameters will be treated as successful validation by the binding.
                                    If set to `Deny`, then no matched parameters will be subject to the
                                    `failurePolicy` of the policy.


                                    Allowed values are `Allow` or `Deny`
                                    Default to `Deny`
                                  type: string
                                selector:
                                  description: |-
                                    selector can be used to match multiple param objects based on their labels.
                                    Supply selector: {} to match all resources of the ParamKind.


                                    If multiple params are found, they are all evaluated with the policy expressions
                                    and the results are ANDed together.


                                    One of `name` or `selector` must be set, but `name` and `selector` are
                                    mutually exclusive properties. If one is set, the other must be unset.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                              x-kubernetes-map-type: atomic
                            variables:
                              description: |-
                                Variables contain definitions of variables that can be used in composition of other expressions.
                                Each variable is defined as a named CEL expression.
                                The variables defined here will be available under `variables` in other expressions of the policy.
                              items:
                                description: Variable is the definition of a variable
                                  that is used for composition.
                                properties:
                                  expression:
                                    description: |-
                                      Expression is the expression that will be evaluated as the value of the variable.
                                      The CEL expression has access to the same identifiers as the CEL expressions in Validation.
                                    type: string
                                  name:
                                    description: |-
                                      Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
                                      The variable can be accessed in other expressions through `variables`
                                      For example, if name is "foo", the variable will be available as `variables.foo`
                                    type: string
                                required:
                                - expression
                                - name
                                type: object
                              type: array
                          type: object
                        deny:
                          description: Deny defines conditions used to pass or fail
                            a validation rule.
                          properties:
                            conditions:
                              description: |-
                                Multiple conditions can be declared under an `any` or `all` statement. A direct list
                                of conditions (without `any` or `all` statements) is also supported for backwards compatibility
                                but will be deprecated in the next major release.
                                See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
                              x-kubernetes-preserve-unknown-fields: true
                          type: object
                        foreach:
                          description: ForEach applies validate rules to a list of
                            sub-elements by creating a context for each entry in the
                            list and looping over it to apply the specified logic.
                          items:
                            description: ForEachValidation applies validate rules
                              to a list of sub-elements by creating a context for
                              each entry in the list and looping over it to apply
                              the specified logic.
                            properties:
                              anyPattern:
                                description: |-
                                  AnyPattern specifies list of validation patterns. At least one of the patterns
                                  must be satisfied for the validation rule to succeed.
                                x-kubernetes-preserve-unknown-fields: true
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: |-
                                    ContextEntry adds variables and data sources to a rule Context. Either a
                                    ConfigMap reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: |-
                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context with the name for the context entry.
                                      properties:
                                        data:
                                          description: |-
                                            The data object specifies the POST data sent to the server.
                                            Only applicable when the method field is set to POST.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST). Defaults to GET.
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: |-
                                            Service is an API call to a JSON web service.
                                            This is used for non-Kubernetes API server calls.
                                            It's mutually exclusive with the URLPath field.
                                          properties:
                                            caBundle:
                                              description: |-
                                                CABundle is a PEM encoded CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: |-
                                                URL is the JSON web service URL. A typical form is
                                                `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: |-
                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                            The format required is the same format used by the `kubectl get --raw` command.
                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                            It's mutually exclusive with the Service field.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    globalReference:
                                      description: GlobalContextEntryReference is
                                        a reference to a cached global context entry.
                                      properties:
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        name:
                                          description: Name of the global context
                                            entry
                                          type: string
                                      type: object
                                    imageRegistry:
                                      description: |-
                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry.
                                              type: boolean
                                            providers:
                                              description: |-
                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                It can be of one of these values: default,google,azure,amazon,github.
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: |-
                                                Secrets specifies a list of secrets that are provided for credentials.
                                                Secrets must live in the Kyverno namespace.
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the ImageData struct returned as a result of processing
                                            the image reference.
                                          type: string
                                        reference:
                                          description: |-
                                            Reference is image reference to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: |-
                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                            expression evaluates to nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JMESPath Expression that can be used to
                                            transform the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              deny:
                                description: Deny defines conditions used to pass
                                  or fail a validation rule.
                                properties:
                                  conditions:
                                    description: |-
                                      Multiple conditions can be declared under an `any` or `all` statement. A direct list
                                      of conditions (without `any` or `all` statements) is also supported for backwards compatibility
                                      but will be deprecated in the next major release.
                                      See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              elementScope:
                                description: |-
                                  ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
                                  When set to "false", "request.object" is used as the validation scope within the foreach
                                  block to allow referencing other elements in the subtree.
                                type: boolean
                              foreach:
                                description: Foreach declares a nested foreach iterator
                                x-kubernetes-preserve-unknown-fields: true
                              list:
                                description: |-
                                  List specifies a JMESPath expression that results in one or more elements
                                  to which the validation logic is applied.
                                type: string
                              pattern:
                                description: Pattern specifies an overlay-style pattern
                                  used to check resources.
                                x-kubernetes-preserve-unknown-fields: true
                              preconditions:
                                description: |-
                                  AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
                                  set of conditions. The declaration can contain nested `any` or `all` statements.
                                  See: https://kyverno.io/docs/writing-policies/preconditions/
                                properties:
                                  all:
                                    description: |-
                                      AllConditions enable variable-based conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A condition can reference object data
                                      using JMESPath notation.
                                      Here, all of the conditions need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: |-
                                            Operator is the conditional operation to perform. Valid operators are:
                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: |-
                                            Value is the conditional value, or set of values. The values can be fixed set
                                            or can be variables declared using JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                  any:
                                    description: |-
                                      AnyConditions enable variable-based conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A condition can reference object data
                                      using JMESPath notation.
                                      Here, at least one of the conditions need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: |-
                                            Operator is the conditional operation to perform. Valid operators are:
                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: |-
                                            Value is the conditional value, or set of values. The values can be fixed set
                                            or can be variables declared using JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                type: object
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                        manifests:
                          description: Manifest specifies conditions for manifest
                            verification
                          properties:
                            annotationDomain:
                              description: AnnotationDomain is custom domain of annotation
                                for message and signature. Default is "cosign.sigstore.dev".
                              type: string
                            attestors:
                              description: Attestors specified the required attestors
                                (i.e. authorities)
                              items:
                                properties:
                                  count:
                                    description: |-
                                      Count specifies the required number of entries that must match. If the count is null, all entries must match
                                      (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                      value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                    minimum: 1
                                    type: integer
                                  entries:
                                    description: |-
                                      Entries contains the available attestors. An attestor can be a static key,
                                      attributes for keyless verification, or a nested attestor declaration.
                                    items:
                                      properties:
                                        annotations:
                                          additionalProperties:
                                            type: string
                                          description: |-
                                            Annotations are used for image verification.
                                            Every specified key-value pair must exist and match in the verified payload.
                                            The payload may contain other key-value pairs.
                                          type: object
                                        attestor:
                                          description: Attestor is a nested set of
                                            Attestor used to specify a more complex
                                            set of match authorities.
                                          x-kubernetes-preserve-unknown-fields: true
                                        certificates:
                                          description: Certificates specifies one
                                            or more certificates.
                                          properties:
                                            cert:
                                              description: Cert is an optional PEM-encoded
                                                public certificate.
                                              type: string
                                            certChain:
                                              description: CertChain is an optional
                                                PEM encoded set of certificates used
                                                to verify.
                                              type: string
                                            ctlog:
                                              description: |-
                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                              properties:
                                                ignoreSCT:
                                                  description: |-
                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                    timestamp. Default is false. Set to true if this was opted out during signing.
                                                  type: boolean
                                                pubkey:
                                                  description: PubKey, if set, is
                                                    used to validate SCTs against
                                                    a custom source.
                                                  type: string
                                                tsaCertChain:
                                                  description: |-
                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                    may contain the leaf TSA certificate if not present in the timestamurce.
                                                  type: string
                                              type: object
                                            rekor:
                                              description: |-
                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                              properties:
                                                ignoreTlog:
                                                  description: IgnoreTlog skips transparency
                                                    log verification.
                                                  type: boolean
                                                pubkey:
                                                  description: |-
                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public Rekor log instance
                                                    https://rekor.sigstore.dev.
                                                  type: string
                                              type: object
                                          type: object
                                        keyless:
                                          description: |-
                                            Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                            See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                          properties:
                                            additionalExtensions:
                                              additionalProperties:
                                                type: string
                                              description: AdditionalExtensions are
                                                certificate-extensions used for keyless
                                                signing.
                                              type: object
                                            ctlog:
                                              description: |-
                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                              properties:
                                                ignoreSCT:
                                                  description: |-
                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                    timestamp. Default is false. Set to true if this was opted out during signing.
                                                  type: boolean
                                                pubkey:
                                                  description: PubKey, if set, is
                                                    used to validate SCTs against
                                                    a custom source.
                                                  type: string
                                                tsaCertChain:
                                                  description: |-
                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                    may contain the leaf TSA certificate if not present in the timestamurce.
                                                  type: string
                                              type: object
                                            issuer:
                                              description: Issuer is the certificate
                                                issuer used for keyless signing.
                                              type: string
                                            rekor:
                                              description: |-
                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                              properties:
                                                ignoreTlog:
                                                  description: IgnoreTlog skips transparency
                                                    log verification.
                                                  type: boolean
                                                pubkey:
                                                  description: |-
                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public Rekor log instance
                                                    https://rekor.sigstore.dev.
                                                  type: string
                                              type: object
                                            roots:
                                              description: |-
                                                Roots is an optional set of PEM encoded trusted root certificates.
                                                If not provided, the system roots are used.
                                              type: string
                                            subject:
                                              description: Subject is the verified
                                                identity used for keyless signing,
                                                for example the email address.
                                              type: string
                                          type: object
                                        keys:
                                          description: Keys specifies one or more
                                            public keys.
                                          properties:
                                            ctlog:
                                              description: |-
                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                              properties:
                                                ignoreSCT:
                                                  description: |-
                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                    timestamp. Default is false. Set to true if this was opted out during signing.
                                                  type: boolean
                                                pubkey:
                                                  description: PubKey, if set, is
                                                    used to validate SCTs against
                                                    a custom source.
                                                  type: string
                                                tsaCertChain:
                                                  description: |-
                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                    may contain the leaf TSA certificate if not present in the timestamurce.
                                                  type: string
                                              type: object
                                            kms:
                                              description: |-
                                                KMS provides the URI to the public key stored in a Key Management System. See:
                                                https://github.com/sigstore/cosign/blob/main/KMS.md
                                              type: string
                                            publicKeys:
                                              description: |-
                                                Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                                specified or can be a variable reference to a key specified in a ConfigMap (see
                                                https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                                elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                The named Secret must specify a key `cosign.pub` containing the public key used for
                                                verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                When multiple keys are specified each key is processed as a separate staticKey entry
                                                (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                              type: string
                                            rekor:
                                              description: |-
                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                              properties:
                                                ignoreTlog:
                                                  description: IgnoreTlog skips transparency
                                                    log verification.
                                                  type: boolean
                                                pubkey:
                                                  description: |-
                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public Rekor log instance
                                                    https://rekor.sigstore.dev.
                                                  type: string
                                              type: object
                                            secret:
                                              description: Reference to a Secret resource
                                                that contains a public key
                                              properties:
                                                name:
                                                  description: Name of the secret.
                                                    The provided secret must contain
                                                    a key named cosign.pub.
                                                  type: string
                                                namespace:
                                                  description: Namespace name where
                                                    the Secret exists.
                                                  type: string
                                              required:
                                              - name
                                              - namespace
                                              type: object
                                            signatureAlgorithm:
                                              default: sha256
                                              description: Specify signature algorithm
                                                for public keys. Supported values
                                                are sha224, sha256, sha384 and sha512.
                                              type: string
                                          type: object
                                        repository:
                                          description: |-
                                            Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                            If specified Repository will override other OCI image repository locations for this Attestor.
                                          type: string
                                      type: object
                                    type: array
                                type: object
                              type: array
                            dryRun:
                              description: DryRun configuration
                              properties:
                                enable:
                                  type: boolean
                                namespace:
                                  type: string
                              type: object
                            ignoreFields:
                              description: Fields which will be ignored while comparing
                                manifests.
                              items:
                                properties:
                                  fields:
                                    items:
                                      type: string
                                    type: array
                                  objects:
                                    items:
                                      properties:
                                        group:
                                          type: string
                                        kind:
                                          type: string
                                        name:
                                          type: string
                                        namespace:
                                          type: string
                                        version:
                                          type: string
                                      type: object
                                    type: array
                                type: object
                              type: array
                            repository:
                              description: |-
                                Repository is an optional alternate OCI repository to use for resource bundle reference.
                                The repository can be overridden per Attestor or Attestation.
                              type: string
                          type: object
                        message:
                          description: Message specifies a custom message to be displayed
                            on failure.
                          type: string
                        pattern:
                          description: Pattern specifies an overlay-style pattern
                            used to check resources.
                          x-kubernetes-preserve-unknown-fields: true
                        podSecurity:
                          description: |-
                            PodSecurity applies exemptions for Kubernetes Pod Security admission
                            by specifying exclusions for Pod Security Standards controls.
                          properties:
                            exclude:
                              description: Exclude specifies the Pod Security Standard
                                controls to be excluded.
                              items:
                                description: PodSecurityStandard specifies the Pod
                                  Security Standard controls to be excluded.
                                properties:
                                  controlName:
                                    description: |-
                                      ControlName specifies the name of the Pod Security Standard control.
                                      See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
                                    enum:
                                    - HostProcess
                                    - Host Namespaces
                                    - Privileged Containers
                                    - Capabilities
                                    - HostPath Volumes
                                    - Host Ports
                                    - AppArmor
                                    - SELinux
                                    - /proc Mount Type
                                    - Seccomp
                                    - Sysctls
                                    - Volume Types
                                    - Privilege Escalation
                                    - Running as Non-root
                                    - Running as Non-root user
                                    type: string
                                  images:
                                    description: |-
                                      Images selects matching containers and applies the container level PSS.
                                      Each image is the image name consisting of the registry address, repository, image, and tag.
                                      Empty list matches no containers, PSS checks are applied at the pod level only.
                                      Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                                    items:
                                      type: string
                                    type: array
                                  restrictedField:
                                    description: |-
                                      RestrictedField selects the field for the given Pod Security Standard control.
                                      When not set, all restricted fields for the control are selected.
                                    type: string
                                  values:
                                    description: Values defines the allowed values
                                      that can be excluded.
                                    items:
                                      type: string
                                    type: array
                                required:
                                - controlName
                                type: object
                              type: array
                            level:
                              description: |-
                                Level defines the Pod Security Standard level to be applied to workloads.
                                Allowed values are privileged, baseline, and restricted.
                              enum:
                              - privileged
                              - baseline
                              - restricted
                              type: string
                            version:
                              description: |-
                                Version defines the Pod Security Standard versions that Kubernetes supports.
                                Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
                              enum:
                              - v1.19
                              - v1.20
                              - v1.21
                              - v1.22
                              - v1.23
                              - v1.24
                              - v1.25
                              - v1.26
                              - v1.27
                              - v1.28
                              - v1.29
                              - latest
                              type: string
                          type: object
                        validationFailureAction:
                          description: |-
                            ValidationFailureAction defines if a validation policy rule violation should block
                            the admission review request (enforce), or allow (audit) the admission review request
                            and report an error in a policy report. Optional.
                            Allowed values are audit or enforce.
                          enum:
                          - audit
                          - enforce
                          - Audit
                          - Enforce
                          type: string
                        validationFailureActionOverrides:
                          description: |-
                            ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
                            namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
                          items:
                            properties:
                              action:
                                description: ValidationFailureAction defines the policy
                                  validation failure action
                                enum:
                                - audit
                                - enforce
                                - Audit
                                - Enforce
                                type: string
                              namespaceSelector:
                                description: |-
                                  A label selector is a label query over a set of resources. The result of matchLabels and
                                  matchExpressions are ANDed. An empty label selector matches all objects. A null
                                  label selector matches no objects.
                                properties:
                                  matchExpressions:
                                    description: matchExpressions is a list of label
                                      selector requirements. The requirements are
                                      ANDed.
                                    items:
                                      description: |-
                                        A label selector requirement is a selector that contains values, a key, and an operator that
                                        relates the key and values.
                                      properties:
                                        key:
                                          description: key is the label key that the
                                            selector applies to.
                                          type: string
                                        operator:
                                          description: |-
                                            operator represents a key's relationship to a set of values.
                                            Valid operators are In, NotIn, Exists and DoesNotExist.
                                          type: string
                                        values:
                                          description: |-
                                            values is an array of string values. If the operator is In or NotIn,
                                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                            the values array must be empty. This array is replaced during a strategic
                                            merge patch.
                                          items:
                                            type: string
                                          type: array
                                          x-kubernetes-list-type: atomic
                                      required:
                                      - key
                                      - operator
                                      type: object
                                    type: array
                                    x-kubernetes-list-type: atomic
                                  matchLabels:
                                    additionalProperties:
                                      type: string
                                    description: |-
                                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                      map is equivalent to an element of matchExpressions, whose key field is "key", the
                                      operator is "In", and the values array contains only "value". The requirements are ANDed.
                                    type: object
                                type: object
                                x-kubernetes-map-type: atomic
                              namespaces:
                                items:
                                  type: string
                                type: array
                            type: object
                          type: array
                      type: object
                    verifyImages:
                      description: VerifyImages is used to verify image signatures
                        and mutate them to add a digest
                      items:
                        description: |-
                          ImageVerification validates that images that match the specified pattern
                          are signed with the supplied public key. Once the image is verified it is
                          mutated to include the SHA digest retrieved during the registration.
                        properties:
                          additionalExtensions:
                            additionalProperties:
                              type: string
                            description: Deprecated.
                            type: object
                          annotations:
                            additionalProperties:
                              type: string
                            description: Deprecated. Use annotations per Attestor
                              instead.
                            type: object
                          attestations:
                            description: |-
                              Attestations are optional checks for signed in-toto Statements used to verify the image.
                              See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
                              OCI registry and decodes them into a list of Statement declarations.
                            items:
                              description: |-
                                Attestation are checks for signed in-toto Statements that are used to verify the image.
                                See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
                                OCI registry and decodes them into a list of Statements.
                              properties:
                                attestors:
                                  description: Attestors specify the required attestors
                                    (i.e. authorities).
                                  items:
                                    properties:
                                      count:
                                        description: |-
                                          Count specifies the required number of entries that must match. If the count is null, all entries must match
                                          (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                          value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                        minimum: 1
                                        type: integer
                                      entries:
                                        description: |-
                                          Entries contains the available attestors. An attestor can be a static key,
                                          attributes for keyless verification, or a nested attestor declaration.
                                        items:
                                          properties:
                                            annotations:
                                              additionalProperties:
                                                type: string
                                              description: |-
                                                Annotations are used for image verification.
                                                Every specified key-value pair must exist and match in the verified payload.
                                                The payload may contain other key-value pairs.
                                              type: object
                                            attestor:
                                              description: Attestor is a nested set
                                                of Attestor used to specify a more
                                                complex set of match authorities.
                                              x-kubernetes-preserve-unknown-fields: true
                                            certificates:
                                              description: Certificates specifies
                                                one or more certificates.
                                              properties:
                                                cert:
                                                  description: Cert is an optional
                                                    PEM-encoded public certificate.
                                                  type: string
                                                certChain:
                                                  description: CertChain is an optional
                                                    PEM encoded set of certificates
                                                    used to verify.
                                                  type: string
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                              type: object
                                            keyless:
                                              description: |-
                                                Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                                See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                              properties:
                                                additionalExtensions:
                                                  additionalProperties:
                                                    type: string
                                                  description: AdditionalExtensions
                                                    are certificate-extensions used
                                                    for keyless signing.
                                                  type: object
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                issuer:
                                                  description: Issuer is the certificate
                                                    issuer used for keyless signing.
                                                  type: string
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                                roots:
                                                  description: |-
                                                    Roots is an optional set of PEM encoded trusted root certificates.
                                                    If not provided, the system roots are used.
                                                  type: string
                                                subject:
                                                  description: Subject is the verified
                                                    identity used for keyless signing,
                                                    for example the email address.
                                                  type: string
                                              type: object
                                            keys:
                                              description: Keys specifies one or more
                                                public keys.
                                              properties:
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                kms:
                                                  description: |-
                                                    KMS provides the URI to the public key stored in a Key Management System. See:
                                                    https://github.com/sigstore/cosign/blob/main/KMS.md
                                                  type: string
                                                publicKeys:
                                                  description: |-
                                                    Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                                    specified or can be a variable reference to a key specified in a ConfigMap (see
                                                    https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                                    elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                    The named Secret must specify a key `cosign.pub` containing the public key used for
                                                    verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                    When multiple keys are specified each key is processed as a separate staticKey entry
                                                    (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                                  type: string
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                                secret:
                                                  description: Reference to a Secret
                                                    resource that contains a public
                                                    key
                                                  properties:
                                                    name:
                                                      description: Name of the secret.
                                                        The provided secret must contain
                                                        a key named cosign.pub.
                                                      type: string
                                                    namespace:
                                                      description: Namespace name
                                                        where the Secret exists.
                                                      type: string
                                                  required:
                                                  - name
                                                  - namespace
                                                  type: object
                                                signatureAlgorithm:
                                                  default: sha256
                                                  description: Specify signature algorithm
                                                    for public keys. Supported values
                                                    are sha224, sha256, sha384 and
                                                    sha512.
                                                  type: string
                                              type: object
                                            repository:
                                              description: |-
                                                Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                                If specified Repository will override other OCI image repository locations for this Attestor.
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                conditions:
                                  description: |-
                                    Conditions are used to verify attributes within a Predicate. If no Conditions are specified
                                    the attestation check is satisfied as long there are predicates that match the predicate type.
                                  items:
                                    description: |-
                                      AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
                                      AnyConditions get fulfilled when at least one of its sub-conditions passes.
                                      AllConditions get fulfilled only when all of its sub-conditions pass.
                                    properties:
                                      all:
                                        description: |-
                                          AllConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, all of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: |-
                                          AnyConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, at least one of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                predicateType:
                                  description: Deprecated in favour of 'Type', to
                                    be removed soon
                                  type: string
                                type:
                                  description: Type defines the type of attestation
                                    contained within the Statement.
                                  type: string
                              type: object
                            type: array
                          attestors:
                            description: Attestors specified the required attestors
                              (i.e. authorities)
                            items:
                              properties:
                                count:
                                  description: |-
                                    Count specifies the required number of entries that must match. If the count is null, all entries must match
                                    (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                    value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                  minimum: 1
                                  type: integer
                                entries:
                                  description: |-
                                    Entries contains the available attestors. An attestor can be a static key,
                                    attributes for keyless verification, or a nested attestor declaration.
                                  items:
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          Annotations are used for image verification.
                                          Every specified key-value pair must exist and match in the verified payload.
                                          The payload may contain other key-value pairs.
                                        type: object
                                      attestor:
                                        description: Attestor is a nested set of Attestor
                                          used to specify a more complex set of match
                                          authorities.
                                        x-kubernetes-preserve-unknown-fields: true
                                      certificates:
                                        description: Certificates specifies one or
                                          more certificates.
                                        properties:
                                          cert:
                                            description: Cert is an optional PEM-encoded
                                              public certificate.
                                            type: string
                                          certChain:
                                            description: CertChain is an optional
                                              PEM encoded set of certificates used
                                              to verify.
                                            type: string
                                          ctlog:
                                            description: |-
                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                            properties:
                                              ignoreSCT:
                                                description: |-
                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                  timestamp. Default is false. Set to true if this was opted out during signing.
                                                type: boolean
                                              pubkey:
                                                description: PubKey, if set, is used
                                                  to validate SCTs against a custom
                                                  source.
                                                type: string
                                              tsaCertChain:
                                                description: |-
                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                  may contain the leaf TSA certificate if not present in the timestamurce.
                                                type: string
                                            type: object
                                          rekor:
                                            description: |-
                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                            properties:
                                              ignoreTlog:
                                                description: IgnoreTlog skips transparency
                                                  log verification.
                                                type: boolean
                                              pubkey:
                                                description: |-
                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public Rekor log instance https://rekor.sigstore.dev.
                                                type: string
                                            type: object
                                        type: object
                                      keyless:
                                        description: |-
                                          Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                          See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                        properties:
                                          additionalExtensions:
                                            additionalProperties:
                                              type: string
                                            description: AdditionalExtensions are
                                              certificate-extensions used for keyless
                                              signing.
                                            type: object
                                          ctlog:
                                            description: |-
                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                            properties:
                                              ignoreSCT:
                                                description: |-
                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                  timestamp. Default is false. Set to true if this was opted out during signing.
                                                type: boolean
                                              pubkey:
                                                description: PubKey, if set, is used
                                                  to validate SCTs against a custom
                                                  source.
                                                type: string
                                              tsaCertChain:
                                                description: |-
                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                  may contain the leaf TSA certificate if not present in the timestamurce.
                                                type: string
                                            type: object
                                          issuer:
                                            description: Issuer is the certificate
                                              issuer used for keyless signing.
                                            type: string
                                          rekor:
                                            description: |-
                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                            properties:
                                              ignoreTlog:
                                                description: IgnoreTlog skips transparency
                                                  log verification.
                                                type: boolean
                                              pubkey:
                                                description: |-
                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public Rekor log instance https://rekor.sigstore.dev.
                                                type: string
                                            type: object
                                          roots:
                                            description: |-
                                              Roots is an optional set of PEM encoded trusted root certificates.
                                              If not provided, the system roots are used.
                                            type: string
                                          subject:
                                            description: Subject is the verified identity
                                              used for keyless signing, for example
                                              the email address.
                                            type: string
                                        type: object
                                      keys:
                                        description: Keys specifies one or more public
                                          keys.
                                        properties:
                                          ctlog:
                                            description: |-
                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                            properties:
                                              ignoreSCT:
                                                description: |-
                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                  timestamp. Default is false. Set to true if this was opted out during signing.
                                                type: boolean
                                              pubkey:
                                                description: PubKey, if set, is used
                                                  to validate SCTs against a custom
                                                  source.
                                                type: string
                                              tsaCertChain:
                                                description: |-
                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                  may contain the leaf TSA certificate if not present in the timestamurce.
                                                type: string
                                            type: object
                                          kms:
                                            description: |-
                                              KMS provides the URI to the public key stored in a Key Management System. See:
                                              https://github.com/sigstore/cosign/blob/main/KMS.md
                                            type: string
                                          publicKeys:
                                            description: |-
                                              Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                              specified or can be a variable reference to a key specified in a ConfigMap (see
                                              https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                              elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                              The named Secret must specify a key `cosign.pub` containing the public key used for
                                              verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                              When multiple keys are specified each key is processed as a separate staticKey entry
                                              (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                            type: string
                                          rekor:
                                            description: |-
                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                            properties:
                                              ignoreTlog:
                                                description: IgnoreTlog skips transparency
                                                  log verification.
                                                type: boolean
                                              pubkey:
                                                description: |-
                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public Rekor log instance https://rekor.sigstore.dev.
                                                type: string
                                            type: object
                                          secret:
                                            description: Reference to a Secret resource
                                              that contains a public key
                                            properties:
                                              name:
                                                description: Name of the secret. The
                                                  provided secret must contain a key
                                                  named cosign.pub.
                                                type: string
                                              namespace:
                                                description: Namespace name where
                                                  the Secret exists.
                                                type: string
                                            required:
                                            - name
                                            - namespace
                                            type: object
                                          signatureAlgorithm:
                                            default: sha256
                                            description: Specify signature algorithm
                                              for public keys. Supported values are
                                              sha224, sha256, sha384 and sha512.
                                            type: string
                                        type: object
                                      repository:
                                        description: |-
                                          Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                          If specified Repository will override other OCI image repository locations for this Attestor.
                                        type: string
                                    type: object
                                  type: array
                              type: object
                            type: array
                          cosignOCI11:
                            description: |-
                              CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
                              Defaults to false.
                            type: boolean
                          image:
                            description: Deprecated. Use ImageReferences instead.
                            type: string
                          imageReferences:
                            description: |-
                              ImageReferences is a list of matching image reference patterns. At least one pattern in the
                              list must match the image for the rule to apply. Each image reference consists of a registry
                              address (defaults to docker.io), repository, image, and tag (defaults to latest).
                              Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                            items:
                              type: string
                            type: array
                          imageRegistryCredentials:
                            description: ImageRegistryCredentials provides credentials
                              that will be used for authentication with registry.
                            properties:
                              allowInsecureRegistry:
                                description: AllowInsecureRegistry allows insecure
                                  access to a registry.
                                type: boolean
                              providers:
                                description: |-
                                  Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                  It can be of one of these values: default,google,azure,amazon,github.
                                items:
                                  description: ImageRegistryCredentialsProvidersType
                                    provides the list of credential providers required.
                                  enum:
                                  - default
                                  - amazon
                                  - azure
                                  - google
                                  - github
                                  type: string
                                type: array
                              secrets:
                                description: |-
                                  Secrets specifies a list of secrets that are provided for credentials.
                                  Secrets must live in the Kyverno namespace.
                                items:
                                  type: string
                                type: array
                            type: object
                          issuer:
                            description: Deprecated. Use KeylessAttestor instead.
                            type: string
                          key:
                            description: Deprecated. Use StaticKeyAttestor instead.
                            type: string
                          mutateDigest:
                            default: true
                            description: |-
                              MutateDigest enables replacement of image tags with digests.
                              Defaults to true.
                            type: boolean
                          repository:
                            description: |-
                              Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
                              If specified Repository will override the default OCI image repository configured for the installation.
                              The repository can also be overridden per Attestor or Attestation.
                            type: string
                          required:
                            default: true
                            description: Required validates that images are verified
                              i.e. have matched passed a signature or attestation
                              check.
                            type: boolean
                          roots:
                            description: Deprecated. Use KeylessAttestor instead.
                            type: string
                          skipImageReferences:
                            description: |-
                              SkipImageReferences is a list of matching image reference patterns that should be skipped.
                              At least one pattern in the list must match the image for the rule to be skipped. Each image reference
                              consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
                              Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                            items:
                              type: string
                            type: array
                          subject:
                            description: Deprecated. Use KeylessAttestor instead.
                            type: string
                          type:
                            description: |-
                              Type specifies the method of signature validation. The allowed options
                              are Cosign and Notary. By default Cosign is used if a type is not specified.
                            enum:
                            - Cosign
                            - Notary
                            type: string
                          useCache:
                            default: true
                            description: UseCache enables caching of image verify
                              responses for this rule.
                            type: boolean
                          verifyDigest:
                            default: true
                            description: VerifyDigest validates that images have a
                              digest.
                            type: boolean
                        type: object
                      type: array
                  required:
                  - name
                  type: object
                type: array
              schemaValidation:
                description: Deprecated.
                type: boolean
              useServerSideApply:
                description: |-
                  UseServerSideApply controls whether to use server-side apply for generate rules
                  If is set to "true" create & update for generate rules will use apply instead of create/update.
                  Defaults to "false" if not specified.
                type: boolean
              validationFailureAction:
                default: Audit
                description: Deprecated, use validationFailureAction under the validate
                  rule instead.
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: Deprecated, use validationFailureActionOverrides under
                  the validate rule instead.
                items:
                  properties:
                    action:
                      description: ValidationFailureAction defines the policy validation
                        failure action
                      enum:
                      - audit
                      - enforce
                      - Audit
                      - Enforce
                      type: string
                    namespaceSelector:
                      description: |-
                        A label selector is a label query over a set of resources. The result of matchLabels and
                        matchExpressions are ANDed. An empty label selector matches all objects. A null
                        label selector matches no objects.
                      properties:
                        matchExpressions:
                          description: matchExpressions is a list of label selector
                            requirements. The requirements are ANDed.
                          items:
                            description: |-
                              A label selector requirement is a selector that contains values, a key, and an operator that
                              relates the key and values.
                            properties:
                              key:
                                description: key is the label key that the selector
                                  applies to.
                                type: string
                              operator:
                                description: |-
                                  operator represents a key's relationship to a set of values.
                                  Valid operators are In, NotIn, Exists and DoesNotExist.
                                type: string
                              values:
                                description: |-
                                  values is an array of string values. If the operator is In or NotIn,
                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                  the values array must be empty. This array is replaced during a strategic
                                  merge patch.
                                items:
                                  type: string
                                type: array
                                x-kubernetes-list-type: atomic
                            required:
                            - key
                            - operator
                            type: object
                          type: array
                          x-kubernetes-list-type: atomic
                        matchLabels:
                          additionalProperties:
                            type: string
                          description: |-
                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                            map is equivalent to an element of matchExpressions, whose key field is "key", the
                            operator is "In", and the values array contains only "value". The requirements are ANDed.
                          type: object
                      type: object
                      x-kubernetes-map-type: atomic
                    namespaces:
                      items:
                        type: string
                      type: array
                  type: object
                type: array
              webhookConfiguration:
                description: WebhookConfiguration specifies the custom configuration
                  for Kubernetes admission webhookconfiguration.
                properties:
                  failurePolicy:
                    description: |-
                      FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
                      Rules within the same policy share the same failure behavior.
                      This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
                      Allowed values are Ignore or Fail. Defaults to Fail.
                    enum:
                    - Ignore
                    - Fail
                    type: string
                  matchConditions:
                    description: |-
                      MatchCondition configures admission webhook matchConditions.
                      Requires Kubernetes 1.27 or later.
                    items:
                      description: MatchCondition represents a condition which must
                        by fulfilled for a request to be sent to a webhook.
                      properties:
                        expression:
                          description: |-
                            Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
                            CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:


                            'object' - The object from the incoming request. The value is null for DELETE requests.
                            'oldObject' - The existing object. The value is null for CREATE requests.
                            'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
                            'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
                              See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                            'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
                              request resource.
                            Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/


                            Required.
                          type: string
                        name:
                          description: |-
                            Name is an identifier for this match condition, used for strategic merging of MatchConditions,
                            as well as providing an identifier for logging purposes. A good name should be descriptive of
                            the associated expression.
                            Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
                            must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
                            '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
                            optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')


                            Required.
                          type: string
                      required:
                      - expression
                      - name
                      type: object
                    type: array
                  timeoutSeconds:
                    description: |-
                      TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
                      After the configured time expires, the admission request may fail, or may simply ignore the policy results,
                      based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
                    format: int32
                    type: integer
                type: object
              webhookTimeoutSeconds:
                description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
                  instead.
                format: int32
                type: integer
            type: object
          status:
            description: Deprecated. Policy metrics are available via the metrics
              endpoint
            properties:
              autogen:
                description: AutogenStatus contains autogen status information.
                properties:
                  rules:
                    description: Rules is a list of Rule instances. It contains auto
                      generated rules added for pod controllers
                    items:
                      description: |-
                        Rule defines a validation, mutation, or generation control for matching resources.
                        Each rules contains a match declaration to select resources, and an optional exclude
                        declaration to specify which resources to exclude.
                      properties:
                        celPreconditions:
                          description: |-
                            CELPreconditions are used to determine if a policy rule should be applied by evaluating a
                            set of CEL conditions. It can only be used with the validate.cel subrule
                          items:
                            description: MatchCondition represents a condition which
                              must by fulfilled for a request to be sent to a webhook.
                            properties:
                              expression:
                                description: |-
                                  Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
                                  CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:


                                  'object' - The object from the incoming request. The value is null for DELETE requests.
                                  'oldObject' - The existing object. The value is null for CREATE requests.
                                  'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
                                  'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
                                    See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                                  'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
                                    request resource.
                                  Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/


                                  Required.
                                type: string
                              name:
                                description: |-
                                  Name is an identifier for this match condition, used for strategic merging of MatchConditions,
                                  as well as providing an identifier for logging purposes. A good name should be descriptive of
                                  the associated expression.
                                  Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
                                  must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
                                  '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
                                  optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')


                                  Required.
                                type: string
                            required:
                            - expression
                            - name
                            type: object
                          type: array
                        context:
                          description: Context defines variables and data sources
                            that can be used during rule execution.
                          items:
                            description: |-
                              ContextEntry adds variables and data sources to a rule Context. Either a
                              ConfigMap reference or a APILookup must be provided.
                            properties:
                              apiCall:
                                description: |-
                                  APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                  The data returned is stored in the context with the name for the context entry.
                                properties:
                                  data:
                                    description: |-
                                      The data object specifies the POST data sent to the server.
                                      Only applicable when the method field is set to POST.
                                    items:
                                      description: RequestData contains the HTTP POST
                                        data
                                      properties:
                                        key:
                                          description: Key is a unique identifier
                                            for the data value
                                          type: string
                                        value:
                                          description: Value is the data value
                                          x-kubernetes-preserve-unknown-fields: true
                                      required:
                                      - key
                                      - value
                                      type: object
                                    type: array
                                  jmesPath:
                                    description: |-
                                      JMESPath is an optional JSON Match Expression that can be used to
                                      transform the JSON response returned from the server. For example
                                      a JMESPath of "items | length(@)" applied to the API server response
                                      for the URLPath "/apis/apps/v1/deployments" will return the total count
                                      of deployments across all namespaces.
                                    type: string
                                  method:
                                    default: GET
                                    description: Method is the HTTP request type (GET
                                      or POST). Defaults to GET.
                                    enum:
                                    - GET
                                    - POST
                                    type: string
                                  service:
                                    description: |-
                                      Service is an API call to a JSON web service.
                                      This is used for non-Kubernetes API server calls.
                                      It's mutually exclusive with the URLPath field.
                                    properties:
                                      caBundle:
                                        description: |-
                                          CABundle is a PEM encoded CA bundle which will be used to validate
                                          the server certificate.
                                        type: string
                                      url:
                                        description: |-
                                          URL is the JSON web service URL. A typical form is
                                          `https://{service}.{namespace}:{port}/{path}`.
                                        type: string
                                    required:
                                    - url
                                    type: object
                                  urlPath:
                                    description: |-
                                      URLPath is the URL path to be used in the HTTP GET or POST request to the
                                      Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                      The format required is the same format used by the `kubectl get --raw` command.
                                      See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                      for details.
                                      It's mutually exclusive with the Service field.
                                    type: string
                                type: object
                              configMap:
                                description: ConfigMap is the ConfigMap reference.
                                properties:
                                  name:
                                    description: Name is the ConfigMap name.
                                    type: string
                                  namespace:
                                    description: Namespace is the ConfigMap namespace.
                                    type: string
                                required:
                                - name
                                type: object
                              globalReference:
                                description: GlobalContextEntryReference is a reference
                                  to a cached global context entry.
                                properties:
                                  jmesPath:
                                    description: |-
                                      JMESPath is an optional JSON Match Expression that can be used to
                                      transform the JSON response returned from the server. For example
                                      a JMESPath of "items | length(@)" applied to the API server response
                                      for the URLPath "/apis/apps/v1/deployments" will return the total count
                                      of deployments across all namespaces.
                                    type: string
                                  name:
                                    description: Name of the global context entry
                                    type: string
                                type: object
                              imageRegistry:
                                description: |-
                                  ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                  details.
                                properties:
                                  imageRegistryCredentials:
                                    description: ImageRegistryCredentials provides
                                      credentials that will be used for authentication
                                      with registry
                                    properties:
                                      allowInsecureRegistry:
                                        description: AllowInsecureRegistry allows
                                          insecure access to a registry.
                                        type: boolean
                                      providers:
                                        description: |-
                                          Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                          It can be of one of these values: default,google,azure,amazon,github.
                                        items:
                                          description: ImageRegistryCredentialsProvidersType
                                            provides the list of credential providers
                                            required.
                                          enum:
                                          - default
                                          - amazon
                                          - azure
                                          - google
                                          - github
                                          type: string
                                        type: array
                                      secrets:
                                        description: |-
                                          Secrets specifies a list of secrets that are provided for credentials.
                                          Secrets must live in the Kyverno namespace.
                                        items:
                                          type: string
                                        type: array
                                    type: object
                                  jmesPath:
                                    description: |-
                                      JMESPath is an optional JSON Match Expression that can be used to
                                      transform the ImageData struct returned as a result of processing
                                      the image reference.
                                    type: string
                                  reference:
                                    description: |-
                                      Reference is image reference to a container image in the registry.
                                      Example: ghcr.io/kyverno/kyverno:latest
                                    type: string
                                required:
                                - reference
                                type: object
                              name:
                                description: Name is the variable name.
                                type: string
                              variable:
                                description: Variable defines an arbitrary JMESPath
                                  context variable that can be defined inline.
                                properties:
                                  default:
                                    description: |-
                                      Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                      expression evaluates to nil
                                    x-kubernetes-preserve-unknown-fields: true
                                  jmesPath:
                                    description: |-
                                      JMESPath is an optional JMESPath Expression that can be used to
                                      transform the variable.
                                    type: string
                                  value:
                                    description: Value is any arbitrary JSON object
                                      representable in YAML or JSON form.
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                            type: object
                          type: array
                        exclude:
                          description: |-
                            ExcludeResources defines when this policy rule should not be applied. The exclude
                            criteria can include resource information (e.g. kind, name, namespace, labels)
                            and admission review request information like the name or role.
                          properties:
                            all:
                              description: All allows specifying resources which will
                                be ANDed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                          and values support the wildcard characters "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: |-
                                          Name is the name of the resource. The name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                          NOTE: "Name" is being deprecated in favor of "Names".
                                        type: string
                                      names:
                                        description: |-
                                          Names are the names of the resources. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: |-
                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                          and `?` (matches one character).Wildcards allows writing label selectors like
                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                          does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: |-
                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: |-
                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                          characters `*` (matches zero or many characters) and `?` (matches one character).
                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: |-
                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                        or a value for non-objects such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: |-
                                            APIGroup holds the API group of the referenced subject.
                                            Defaults to "" for ServiceAccount subjects.
                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                          type: string
                                        kind:
                                          description: |-
                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: |-
                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                            the Authorizer should report an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            any:
                              description: Any allows specifying resources which will
                                be ORed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                          and values support the wildcard characters "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: |-
                                          Name is the name of the resource. The name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                          NOTE: "Name" is being deprecated in favor of "Names".
                                        type: string
                                      names:
                                        description: |-
                                          Names are the names of the resources. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: |-
                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                          and `?` (matches one character).Wildcards allows writing label selectors like
                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                          does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: |-
                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: |-
                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                          characters `*` (matches zero or many characters) and `?` (matches one character).
                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: |-
                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                        or a value for non-objects such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: |-
                                            APIGroup holds the API group of the referenced subject.
                                            Defaults to "" for ServiceAccount subjects.
                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                          type: string
                                        kind:
                                          description: |-
                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: |-
                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                            the Authorizer should report an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            clusterRoles:
                              description: ClusterRoles is the list of cluster-wide
                                role names for the user.
                              items:
                                type: string
                              type: array
                            resources:
                              description: |-
                                ResourceDescription contains information about the resource being created or modified.
                                Requires at least one tag to be specified when under MatchResources.
                                Specifying ResourceDescription directly under match is being deprecated.
                                Please specify under "any" or "all" instead.
                              properties:
                                annotations:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                    and values support the wildcard characters "*" (matches zero or many characters) and
                                    "?" (matches at least one character).
                                  type: object
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                name:
                                  description: |-
                                    Name is the name of the resource. The name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                    NOTE: "Name" is being deprecated in favor of "Names".
                                  type: string
                                names:
                                  description: |-
                                    Names are the names of the resources. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                  items:
                                    type: string
                                  type: array
                                namespaceSelector:
                                  description: |-
                                    NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                    in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                    and `?` (matches one character).Wildcards allows writing label selectors like
                                    ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                    does not match an empty label set.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                                namespaces:
                                  description: |-
                                    Namespaces is a list of namespaces names. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                  items:
                                    type: string
                                  type: array
                                operations:
                                  description: Operations can contain values ["CREATE,
                                    "UPDATE", "CONNECT", "DELETE"], which are used
                                    to match a specific action.
                                  items:
                                    description: AdmissionOperation can have one of
                                      the values CREATE, UPDATE, CONNECT, DELETE,
                                      which are used to match a specific action.
                                    enum:
                                    - CREATE
                                    - CONNECT
                                    - UPDATE
                                    - DELETE
                                    type: string
                                  type: array
                                selector:
                                  description: |-
                                    Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                    characters `*` (matches zero or many characters) and `?` (matches one character).
                                    Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                    using ["*" : "*"] matches any key and value but does not match an empty label set.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            roles:
                              description: Roles is the list of namespaced role names
                                for the user.
                              items:
                                type: string
                              type: array
                            subjects:
                              description: Subjects is the list of subject names like
                                users, user groups, and service accounts.
                              items:
                                description: |-
                                  Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                  or a value for non-objects such as user and group names.
                                properties:
                                  apiGroup:
                                    description: |-
                                      APIGroup holds the API group of the referenced subject.
                                      Defaults to "" for ServiceAccount subjects.
                                      Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                    type: string
                                  kind:
                                    description: |-
                                      Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                      If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                    type: string
                                  name:
                                    description: Name of the object being referenced.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                      the Authorizer should report an error.
                                    type: string
                                required:
                                - kind
                                - name
                                type: object
                                x-kubernetes-map-type: atomic
                              type: array
                          type: object
                        generate:
                          description: Generation is used to create new resources.
                          properties:
                            apiVersion:
                              description: APIVersion specifies resource apiVersion.
                              type: string
                            clone:
                              description: |-
                                Clone specifies the source resource used to populate each generated resource.
                                At most one of Data or Clone can be specified. If neither are provided, the generated
                                resource will be created with default data only.
                              properties:
                                name:
                                  description: Name specifies name of the resource.
                                  type: string
                                namespace:
                                  description: Namespace specifies source resource
                                    namespace.
                                  type: string
                              type: object
                            cloneList:
                              description: CloneList specifies the list of source
                                resource used to populate each generated resource.
                              properties:
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                namespace:
                                  description: Namespace specifies source resource
                                    namespace.
                                  type: string
                                selector:
                                  description: |-
                                    Selector is a label selector. Label keys and values in `matchLabels`.
                                    wildcard characters are not supported.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            data:
                              description: |-
                                Data provides the resource declaration used to populate each generated resource.
                                At most one of Data or Clone must be specified. If neither are provided, the generated
                                resource will be created with default data only.
                              x-kubernetes-preserve-unknown-fields: true
                            generateExisting:
                              description: |-
                                GenerateExisting controls whether to trigger the rule in existing resources
                                If is set to "true" the rule will be triggered and applied to existing matched resources.
                              type: boolean
                            kind:
                              description: Kind specifies resource kind.
                              type: string
                            name:
                              description: Name specifies the resource name.
                              type: string
                            namespace:
                              description: Namespace specifies resource namespace.
                              type: string
                            orphanDownstreamOnPolicyDelete:
                              description: |-
                                OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
                                them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
                                See https://kyverno.io/docs/writing-policies/generate/#data-examples.
                                Defaults to "false" if not specified.
                              type: boolean
                            synchronize:
                              description: |-
                                Synchronize controls if generated resources should be kept in-sync with their source resource.
                                If Synchronize is set to "true" changes to generated resources will be overwritten with resource
                                data from Data or the resource specified in the Clone declaration.
                                Optional. Defaults to "false" if not specified.
                              type: boolean
                            uid:
                              description: UID specifies the resource uid.
                              type: string
                          type: object
                        imageExtractors:
                          additionalProperties:
                            items:
                              properties:
                                jmesPath:
                                  description: |-
                                    JMESPath is an optional JMESPath expression to apply to the image value.
                                    This is useful when the extracted image begins with a prefix like 'docker://'.
                                    The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
                                    Note - Image digest mutation may not be used when applying a JMESPAth to an image.
                                  type: string
                                key:
                                  description: |-
                                    Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
                                    Note - this field MUST be unique.
                                  type: string
                                name:
                                  description: |-
                                    Name is the entry the image will be available under 'images.<name>' in the context.
                                    If this field is not defined, image entries will appear under 'images.custom'.
                                  type: string
                                path:
                                  description: |-
                                    Path is the path to the object containing the image field in a custom resource.
                                    It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
                                    Wildcard keys are expanded in case of arrays or objects.
                                  type: string
                                value:
                                  description: |-
                                    Value is an optional name of the field within 'path' that points to the image URI.
                                    This is useful when a custom 'key' is also defined.
                                  type: string
                              required:
                              - path
                              type: object
                            type: array
                          description: |-
                            ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
                            This config is only valid for verifyImages rules.
                          type: object
                        match:
                          description: |-
                            MatchResources defines when this policy rule should be applied. The match
                            criteria can include resource information (e.g. kind, name, namespace, labels)
                            and admission review request information like the user name or role.
                            At least one kind is required.
                          properties:
                            all:
                              description: All allows specifying resources which will
                                be ANDed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                          and values support the wildcard characters "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: |-
                                          Name is the name of the resource. The name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                          NOTE: "Name" is being deprecated in favor of "Names".
                                        type: string
                                      names:
                                        description: |-
                                          Names are the names of the resources. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: |-
                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                          and `?` (matches one character).Wildcards allows writing label selectors like
                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                          does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: |-
                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: |-
                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                          characters `*` (matches zero or many characters) and `?` (matches one character).
                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: |-
                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                        or a value for non-objects such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: |-
                                            APIGroup holds the API group of the referenced subject.
                                            Defaults to "" for ServiceAccount subjects.
                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                          type: string
                                        kind:
                                          description: |-
                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: |-
                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                            the Authorizer should report an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            any:
                              description: Any allows specifying resources which will
                                be ORed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                          and values support the wildcard characters "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: |-
                                          Name is the name of the resource. The name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                          NOTE: "Name" is being deprecated in favor of "Names".
                                        type: string
                                      names:
                                        description: |-
                                          Names are the names of the resources. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: |-
                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                          and `?` (matches one character).Wildcards allows writing label selectors like
                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                          does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: |-
                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: |-
                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                          characters `*` (matches zero or many characters) and `?` (matches one character).
                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: |-
                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                        or a value for non-objects such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: |-
                                            APIGroup holds the API group of the referenced subject.
                                            Defaults to "" for ServiceAccount subjects.
                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                          type: string
                                        kind:
                                          description: |-
                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: |-
                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                            the Authorizer should report an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            clusterRoles:
                              description: ClusterRoles is the list of cluster-wide
                                role names for the user.
                              items:
                                type: string
                              type: array
                            resources:
                              description: |-
                                ResourceDescription contains information about the resource being created or modified.
                                Requires at least one tag to be specified when under MatchResources.
                                Specifying ResourceDescription directly under match is being deprecated.
                                Please specify under "any" or "all" instead.
                              properties:
                                annotations:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                    and values support the wildcard characters "*" (matches zero or many characters) and
                                    "?" (matches at least one character).
                                  type: object
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                name:
                                  description: |-
                                    Name is the name of the resource. The name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                    NOTE: "Name" is being deprecated in favor of "Names".
                                  type: string
                                names:
                                  description: |-
                                    Names are the names of the resources. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                  items:
                                    type: string
                                  type: array
                                namespaceSelector:
                                  description: |-
                                    NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                    in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                    and `?` (matches one character).Wildcards allows writing label selectors like
                                    ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                    does not match an empty label set.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                                namespaces:
                                  description: |-
                                    Namespaces is a list of namespaces names. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                  items:
                                    type: string
                                  type: array
                                operations:
                                  description: Operations can contain values ["CREATE,
                                    "UPDATE", "CONNECT", "DELETE"], which are used
                                    to match a specific action.
                                  items:
                                    description: AdmissionOperation can have one of
                                      the values CREATE, UPDATE, CONNECT, DELETE,
                                      which are used to match a specific action.
                                    enum:
                                    - CREATE
                                    - CONNECT
                                    - UPDATE
                                    - DELETE
                                    type: string
                                  type: array
                                selector:
                                  description: |-
                                    Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                    characters `*` (matches zero or many characters) and `?` (matches one character).
                                    Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                    using ["*" : "*"] matches any key and value but does not match an empty label set.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            roles:
                              description: Roles is the list of namespaced role names
                                for the user.
                              items:
                                type: string
                              type: array
                            subjects:
                              description: Subjects is the list of subject names like
                                users, user groups, and service accounts.
                              items:
                                description: |-
                                  Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                  or a value for non-objects such as user and group names.
                                properties:
                                  apiGroup:
                                    description: |-
                                      APIGroup holds the API group of the referenced subject.
                                      Defaults to "" for ServiceAccount subjects.
                                      Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                    type: string
                                  kind:
                                    description: |-
                                      Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                      If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                    type: string
                                  name:
                                    description: Name of the object being referenced.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                      the Authorizer should report an error.
                                    type: string
                                required:
                                - kind
                                - name
                                type: object
                                x-kubernetes-map-type: atomic
                              type: array
                          type: object
                        mutate:
                          description: Mutation is used to modify matching resources.
                          properties:
                            foreach:
                              description: ForEach applies mutation rules to a list
                                of sub-elements by creating a context for each entry
                                in the list and looping over it to apply the specified
                                logic.
                              items:
                                description: ForEachMutation applies mutation rules
                                  to a list of sub-elements by creating a context
                                  for each entry in the list and looping over it to
                                  apply the specified logic.
                                properties:
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: |-
                                        ContextEntry adds variables and data sources to a rule Context. Either a
                                        ConfigMap reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: |-
                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                            The data returned is stored in the context with the name for the context entry.
                                          properties:
                                            data:
                                              description: |-
                                                The data object specifies the POST data sent to the server.
                                                Only applicable when the method field is set to POST.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST). Defaults to GET.
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: |-
                                                Service is an API call to a JSON web service.
                                                This is used for non-Kubernetes API server calls.
                                                It's mutually exclusive with the URLPath field.
                                              properties:
                                                caBundle:
                                                  description: |-
                                                    CABundle is a PEM encoded CA bundle which will be used to validate
                                                    the server certificate.
                                                  type: string
                                                url:
                                                  description: |-
                                                    URL is the JSON web service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: |-
                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                                It's mutually exclusive with the Service field.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        globalReference:
                                          description: GlobalContextEntryReference
                                            is a reference to a cached global context
                                            entry.
                                          properties:
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            name:
                                              description: Name of the global context
                                                entry
                                              type: string
                                          type: object
                                        imageRegistry:
                                          description: |-
                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                            details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry.
                                                  type: boolean
                                                providers:
                                                  description: |-
                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                    It can be of one of these values: default,google,azure,amazon,github.
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: |-
                                                    Secrets specifies a list of secrets that are provided for credentials.
                                                    Secrets must live in the Kyverno namespace.
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the ImageData struct returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: |-
                                                Reference is image reference to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: |-
                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                                expression evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JMESPath Expression that can be used to
                                                transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  foreach:
                                    description: Foreach declares a nested foreach
                                      iterator
                                    x-kubernetes-preserve-unknown-fields: true
                                  list:
                                    description: |-
                                      List specifies a JMESPath expression that results in one or more elements
                                      to which the validation logic is applied.
                                    type: string
                                  order:
                                    description: |-
                                      Order defines the iteration order on the list.
                                      Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
                                    enum:
                                    - Ascending
                                    - Descending
                                    type: string
                                  patchStrategicMerge:
                                    description: |-
                                      PatchStrategicMerge is a strategic merge patch used to modify resources.
                                      See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                                    x-kubernetes-preserve-unknown-fields: true
                                  patchesJson6902:
                                    description: |-
                                      PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
                                      See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                                    type: string
                                  preconditions:
                                    description: |-
                                      AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
                                      set of conditions. The declaration can contain nested `any` or `all` statements.
                                      See: https://kyverno.io/docs/writing-policies/preconditions/
                                    properties:
                                      all:
                                        description: |-
                                          AllConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, all of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: |-
                                          AnyConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, at least one of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              type: array
                            mutateExistingOnPolicyUpdate:
                              description: MutateExistingOnPolicyUpdate controls if
                                the mutateExisting rule will be applied on policy
                                events.
                              type: boolean
                            patchStrategicMerge:
                              description: |-
                                PatchStrategicMerge is a strategic merge patch used to modify resources.
                                See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                              x-kubernetes-preserve-unknown-fields: true
                            patchesJson6902:
                              description: |-
                                PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
                                See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                              type: string
                            targets:
                              description: Targets defines the target resources to
                                be mutated.
                              items:
                                description: TargetResourceSpec defines targets for
                                  mutating existing resources.
                                properties:
                                  apiVersion:
                                    description: APIVersion specifies resource apiVersion.
                                    type: string
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: |-
                                        ContextEntry adds variables and data sources to a rule Context. Either a
                                        ConfigMap reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: |-
                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                            The data returned is stored in the context with the name for the context entry.
                                          properties:
                                            data:
                                              description: |-
                                                The data object specifies the POST data sent to the server.
                                                Only applicable when the method field is set to POST.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST). Defaults to GET.
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: |-
                                                Service is an API call to a JSON web service.
                                                This is used for non-Kubernetes API server calls.
                                                It's mutually exclusive with the URLPath field.
                                              properties:
                                                caBundle:
                                                  description: |-
                                                    CABundle is a PEM encoded CA bundle which will be used to validate
                                                    the server certificate.
                                                  type: string
                                                url:
                                                  description: |-
                                                    URL is the JSON web service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: |-
                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                                It's mutually exclusive with the Service field.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        globalReference:
                                          description: GlobalContextEntryReference
                                            is a reference to a cached global context
                                            entry.
                                          properties:
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            name:
                                              description: Name of the global context
                                                entry
                                              type: string
                                          type: object
                                        imageRegistry:
                                          description: |-
                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                            details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry.
                                                  type: boolean
                                                providers:
                                                  description: |-
                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                    It can be of one of these values: default,google,azure,amazon,github.
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: |-
                                                    Secrets specifies a list of secrets that are provided for credentials.
                                                    Secrets must live in the Kyverno namespace.
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the ImageData struct returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: |-
                                                Reference is image reference to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: |-
                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                                expression evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JMESPath Expression that can be used to
                                                transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  kind:
                                    description: Kind specifies resource kind.
                                    type: string
                                  name:
                                    description: Name specifies the resource name.
                                    type: string
                                  namespace:
                                    description: Namespace specifies resource namespace.
                                    type: string
                                  preconditions:
                                    description: |-
                                      Preconditions are used to determine if a policy rule should be applied by evaluating a
                                      set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
                                      of conditions (without `any` or `all` statements is supported for backwards compatibility but
                                      will be deprecated in the next major release.
                                      See: https://kyverno.io/docs/writing-policies/preconditions/
                                    x-kubernetes-preserve-unknown-fields: true
                                  uid:
                                    description: UID specifies the resource uid.
                                    type: string
                                type: object
                              type: array
                          type: object
                        name:
                          description: Name is a label to identify the rule, It must
                            be unique within the policy.
                          maxLength: 63
                          type: string
                        preconditions:
                          description: |-
                            Preconditions are used to determine if a policy rule should be applied by evaluating a
                            set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
                            of conditions (without `any` or `all` statements is supported for backwards compatibility but
                            will be deprecated in the next major release.
                            See: https://kyverno.io/docs/writing-policies/preconditions/
                          x-kubernetes-preserve-unknown-fields: true
                        skipBackgroundRequests:
                          default: true
                          description: |-
                            SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
                            The default value is set to "true", it must be set to "false" to apply
                            generate and mutateExisting rules to those requests.
                          type: boolean
                        validate:
                          description: Validation is used to validate matching resources.
                          properties:
                            anyPattern:
                              description: |-
                                AnyPattern specifies list of validation patterns. At least one of the patterns
                                must be satisfied for the validation rule to succeed.
                              x-kubernetes-preserve-unknown-fields: true
                            cel:
                              description: CEL allows validation checks using the
                                Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
                              properties:
                                auditAnnotations:
                                  description: AuditAnnotations contains CEL expressions
                                    which are used to produce audit annotations for
                                    the audit event of the API request.
                                  items:
                                    description: AuditAnnotation describes how to
                                      produce an audit annotation for an API request.
                                    properties:
                                      key:
                                        description: |-
                                          key specifies the audit annotation key. The audit annotation keys of
                                          a ValidatingAdmissionPolicy must be unique. The key must be a qualified
                                          name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.


                                          The key is combined with the resource name of the
                                          ValidatingAdmissionPolicy to construct an audit annotation key:
                                          "{ValidatingAdmissionPolicy name}/{key}".


                                          If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
                                          and the same audit annotation key, the annotation key will be identical.
                                          In this case, the first annotation written with the key will be included
                                          in the audit event and all subsequent annotations with the same key
                                          will be discarded.


                                          Required.
                                        type: string
                                      valueExpression:
                                        description: |-
                                          valueExpression represents the expression which is evaluated by CEL to
                                          produce an audit annotation value. The expression must evaluate to either
                                          a string or null value. If the expression evaluates to a string, the
                                          audit annotation is included with the string value. If the expression
                                          evaluates to null or empty string the audit annotation will be omitted.
                                          The valueExpression may be no longer than 5kb in length.
                                          If the result of the valueExpression is more than 10kb in length, it
                                          will be truncated to 10kb.


                                          If multiple ValidatingAdmissionPolicyBinding resources match an
                                          API request, then the valueExpression will be evaluated for
                                          each binding. All unique values produced by the valueExpressions
                                          will be joined together in a comma-separated list.


                                          Required.
                                        type: string
                                    required:
                                    - key
                                    - valueExpression
                                    type: object
                                  type: array
                                expressions:
                                  description: Expressions is a list of CELExpression
                                    types.
                                  items:
                                    description: Validation specifies the CEL expression
                                      which is used to apply the validation.
                                    properties:
                                      expression:
                                        description: "Expression represents the expression
                                          which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
                                          expressions have access to the contents
                                          of the API request/response, organized into
                                          CEL variables as well as some other useful
                                          variables:\n\n\n- 'object' - The object
                                          from the incoming request. The value is
                                          null for DELETE requests.\n- 'oldObject'
                                          - The existing object. The value is null
                                          for CREATE requests.\n- 'request' - Attributes
                                          of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
                                          'params' - Parameter resource referred to
                                          by the policy binding being evaluated. Only
                                          populated if the policy has a ParamKind.\n-
                                          'namespaceObject' - The namespace object
                                          that the incoming object belongs to. The
                                          value is null for cluster-scoped resources.\n-
                                          'variables' - Map of composited variables,
                                          from its name to its lazily evaluated value.\n
                                          \ For example, a variable named 'foo' can
                                          be accessed as 'variables.foo'.\n- 'authorizer'
                                          - A CEL Authorizer. May be used to perform
                                          authorization checks for the principal (user
                                          or service account) of the request.\n  See
                                          https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
                                          'authorizer.requestResource' - A CEL ResourceCheck
                                          constructed from the 'authorizer' and configured
                                          with the\n  request resource.\n\n\nThe `apiVersion`,
                                          `kind`, `metadata.name` and `metadata.generateName`
                                          are always accessible from the root of the\nobject.
                                          No other metadata properties are accessible.\n\n\nOnly
                                          property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
                                          are accessible.\nAccessible property names
                                          are escaped according to the following rules
                                          when accessed in the expression:\n- '__'
                                          escapes to '__underscores__'\n- '.' escapes
                                          to '__dot__'\n- '-' escapes to '__dash__'\n-
                                          '/' escapes to '__slash__'\n- Property names
                                          that exactly match a CEL RESERVED keyword
                                          escape to '__{keyword}__'. The keywords
                                          are:\n\t  \"true\", \"false\", \"null\",
                                          \"in\", \"as\", \"break\", \"const\", \"continue\",
                                          \"else\", \"for\", \"function\", \"if\",\n\t
                                          \ \"import\", \"let\", \"loop\", \"package\",
                                          \"namespace\", \"return\".\nExamples:\n
                                          \ - Expression accessing a property named
                                          \"namespace\": {\"Expression\": \"object.__namespace__
                                          > 0\"}\n  - Expression accessing a property
                                          named \"x-prop\": {\"Expression\": \"object.x__dash__prop
                                          > 0\"}\n  - Expression accessing a property
                                          named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
                                          > 0\"}\n\n\nEquality on arrays with list
                                          type of 'set' or 'map' ignores element order,
                                          i.e. [1, 2] == [2, 1].\nConcatenation on
                                          arrays with x-kubernetes-list-type use the
                                          semantics of the list type:\n  - 'set':
                                          `X + Y` performs a union where the array
                                          positions of all elements in `X` are preserved
                                          and\n    non-intersecting elements in `Y`
                                          are appended, retaining their partial order.\n
                                          \ - 'map': `X + Y` performs a merge where
                                          the array positions of all keys in `X` are
                                          preserved but the values\n    are overwritten
                                          by values in `Y` when the key sets of `X`
                                          and `Y` intersect. Elements in `Y` with\n
                                          \   non-intersecting keys are appended,
                                          retaining their partial order.\nRequired."
                                        type: string
                                      message:
                                        description: |-
                                          Message represents the message displayed when validation fails. The message is required if the Expression contains
                                          line breaks. The message must not contain line breaks.
                                          If unset, the message is "failed rule: {Rule}".
                                          e.g. "must be a URL with the host matching spec.host"
                                          If the Expression contains line breaks. Message is required.
                                          The message must not contain line breaks.
                                          If unset, the message is "failed Expression: {Expression}".
                                        type: string
                                      messageExpression:
                                        description: |-
                                          messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
                                          Since messageExpression is used as a failure message, it must evaluate to a string.
                                          If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
                                          If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
                                          as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
                                          that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
                                          the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
                                          messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
                                          Example:
                                          "object.x must be less than max ("+string(params.max)+")"
                                        type: string
                                      reason:
                                        description: |-
                                          Reason represents a machine-readable description of why this validation failed.
                                          If this is the first validation in the list to fail, this reason, as well as the
                                          corresponding HTTP response code, are used in the
                                          HTTP response to the client.
                                          The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
                                          If not set, StatusReasonInvalid is used in the response to the client.
                                        type: string
                                    required:
                                    - expression
                                    type: object
                                  type: array
                                paramKind:
                                  description: ParamKind is a tuple of Group Kind
                                    and Version.
                                  properties:
                                    apiVersion:
                                      description: |-
                                        APIVersion is the API group version the resources belong to.
                                        In format of "group/version".
                                        Required.
                                      type: string
                                    kind:
                                      description: |-
                                        Kind is the API kind the resources belong to.
                                        Required.
                                      type: string
                                  type: object
                                  x-kubernetes-map-type: atomic
                                paramRef:
                                  description: ParamRef references a parameter resource.
                                  properties:
                                    name:
                                      description: |-
                                        `name` is the name of the resource being referenced.


                                        `name` and `selector` are mutually exclusive properties. If one is set,
                                        the other must be unset.
                                      type: string
                                    namespace:
                                      description: |-
                                        namespace is the namespace of the referenced resource. Allows limiting
                                        the search for params to a specific namespace. Applies to both `name` and
                                        `selector` fields.


                                        A per-namespace parameter may be used by specifying a namespace-scoped
                                        `paramKind` in the policy and leaving this field empty.


                                        - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
                                        field results in a configuration error.


                                        - If `paramKind` is namespace-scoped, the namespace of the object being
                                        evaluated for admission will be used when this field is left unset. Take
                                        care that if this is left empty the binding must not match any cluster-scoped
                                        resources, which will result in an error.
                                      type: string
                                    parameterNotFoundAction:
                                      description: |-
                                        `parameterNotFoundAction` controls the behavior of the binding when the resource
                                        exists, and name or selector is valid, but there are no parameters
                                        matched by the binding. If the value is set to `Allow`, then no
                                        matched parameters will be treated as successful validation by the binding.
                                        If set to `Deny`, then no matched parameters will be subject to the
                                        `failurePolicy` of the policy.


                                        Allowed values are `Allow` or `Deny`
                                        Default to `Deny`
                                      type: string
                                    selector:
                                      description: |-
                                        selector can be used to match multiple param objects based on their labels.
                                        Supply selector: {} to match all resources of the ParamKind.


                                        If multiple params are found, they are all evaluated with the policy expressions
                                        and the results are ANDed together.


                                        One of `name` or `selector` must be set, but `name` and `selector` are
                                        mutually exclusive properties. If one is set, the other must be unset.
                                      properties:
                                        matchExpressions:
                                          description: matchExpressions is a list
                                            of label selector requirements. The requirements
                                            are ANDed.
                                          items:
                                            description: |-
                                              A label selector requirement is a selector that contains values, a key, and an operator that
                                              relates the key and values.
                                            properties:
                                              key:
                                                description: key is the label key
                                                  that the selector applies to.
                                                type: string
                                              operator:
                                                description: |-
                                                  operator represents a key's relationship to a set of values.
                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
                                                type: string
                                              values:
                                                description: |-
                                                  values is an array of string values. If the operator is In or NotIn,
                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                  the values array must be empty. This array is replaced during a strategic
                                                  merge patch.
                                                items:
                                                  type: string
                                                type: array
                                                x-kubernetes-list-type: atomic
                                            required:
                                            - key
                                            - operator
                                            type: object
                                          type: array
                                          x-kubernetes-list-type: atomic
                                        matchLabels:
                                          additionalProperties:
                                            type: string
                                          description: |-
                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
                                          type: object
                                      type: object
                                      x-kubernetes-map-type: atomic
                                  type: object
                                  x-kubernetes-map-type: atomic
                                variables:
                                  description: |-
                                    Variables contain definitions of variables that can be used in composition of other expressions.
                                    Each variable is defined as a named CEL expression.
                                    The variables defined here will be available under `variables` in other expressions of the policy.
                                  items:
                                    description: Variable is the definition of a variable
                                      that is used for composition.
                                    properties:
                                      expression:
                                        description: |-
                                          Expression is the expression that will be evaluated as the value of the variable.
                                          The CEL expression has access to the same identifiers as the CEL expressions in Validation.
                                        type: string
                                      name:
                                        description: |-
                                          Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
                                          The variable can be accessed in other expressions through `variables`
                                          For example, if name is "foo", the variable will be available as `variables.foo`
                                        type: string
                                    required:
                                    - expression
                                    - name
                                    type: object
                                  type: array
                              type: object
                            deny:
                              description: Deny defines conditions used to pass or
                                fail a validation rule.
                              properties:
                                conditions:
                                  description: |-
                                    Multiple conditions can be declared under an `any` or `all` statement. A direct list
                                    of conditions (without `any` or `all` statements) is also supported for backwards compatibility
                                    but will be deprecated in the next major release.
                                    See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
                                  x-kubernetes-preserve-unknown-fields: true
                              type: object
                            foreach:
                              description: ForEach applies validate rules to a list
                                of sub-elements by creating a context for each entry
                                in the list and looping over it to apply the specified
                                logic.
                              items:
                                description: ForEachValidation applies validate rules
                                  to a list of sub-elements by creating a context
                                  for each entry in the list and looping over it to
                                  apply the specified logic.
                                properties:
                                  anyPattern:
                                    description: |-
                                      AnyPattern specifies list of validation patterns. At least one of the patterns
                                      must be satisfied for the validation rule to succeed.
                                    x-kubernetes-preserve-unknown-fields: true
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: |-
                                        ContextEntry adds variables and data sources to a rule Context. Either a
                                        ConfigMap reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: |-
                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                            The data returned is stored in the context with the name for the context entry.
                                          properties:
                                            data:
                                              description: |-
                                                The data object specifies the POST data sent to the server.
                                                Only applicable when the method field is set to POST.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST). Defaults to GET.
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: |-
                                                Service is an API call to a JSON web service.
                                                This is used for non-Kubernetes API server calls.
                                                It's mutually exclusive with the URLPath field.
                                              properties:
                                                caBundle:
                                                  description: |-
                                                    CABundle is a PEM encoded CA bundle which will be used to validate
                                                    the server certificate.
                                                  type: string
                                                url:
                                                  description: |-
                                                    URL is the JSON web service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: |-
                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                                It's mutually exclusive with the Service field.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        globalReference:
                                          description: GlobalContextEntryReference
                                            is a reference to a cached global context
                                            entry.
                                          properties:
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            name:
                                              description: Name of the global context
                                                entry
                                              type: string
                                          type: object
                                        imageRegistry:
                                          description: |-
                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                            details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry.
                                                  type: boolean
                                                providers:
                                                  description: |-
                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                    It can be of one of these values: default,google,azure,amazon,github.
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: |-
                                                    Secrets specifies a list of secrets that are provided for credentials.
                                                    Secrets must live in the Kyverno namespace.
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the ImageData struct returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: |-
                                                Reference is image reference to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: |-
                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                                expression evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JMESPath Expression that can be used to
                                                transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  deny:
                                    description: Deny defines conditions used to pass
                                      or fail a validation rule.
                                    properties:
                                      conditions:
                                        description: |-
                                          Multiple conditions can be declared under an `any` or `all` statement. A direct list
                                          of conditions (without `any` or `all` statements) is also supported for backwards compatibility
                                          but will be deprecated in the next major release.
                                          See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
                                        x-kubernetes-preserve-unknown-fields: true
                                    type: object
                                  elementScope:
                                    description: |-
                                      ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
                                      When set to "false", "request.object" is used as the validation scope within the foreach
                                      block to allow referencing other elements in the subtree.
                                    type: boolean
                                  foreach:
                                    description: Foreach declares a nested foreach
                                      iterator
                                    x-kubernetes-preserve-unknown-fields: true
                                  list:
                                    description: |-
                                      List specifies a JMESPath expression that results in one or more elements
                                      to which the validation logic is applied.
                                    type: string
                                  pattern:
                                    description: Pattern specifies an overlay-style
                                      pattern used to check resources.
                                    x-kubernetes-preserve-unknown-fields: true
                                  preconditions:
                                    description: |-
                                      AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
                                      set of conditions. The declaration can contain nested `any` or `all` statements.
                                      See: https://kyverno.io/docs/writing-policies/preconditions/
                                    properties:
                                      all:
                                        description: |-
                                          AllConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, all of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: |-
                                          AnyConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, at least one of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              type: array
                            manifests:
                              description: Manifest specifies conditions for manifest
                                verification
                              properties:
                                annotationDomain:
                                  description: AnnotationDomain is custom domain of
                                    annotation for message and signature. Default
                                    is "cosign.sigstore.dev".
                                  type: string
                                attestors:
                                  description: Attestors specified the required attestors
                                    (i.e. authorities)
                                  items:
                                    properties:
                                      count:
                                        description: |-
                                          Count specifies the required number of entries that must match. If the count is null, all entries must match
                                          (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                          value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                        minimum: 1
                                        type: integer
                                      entries:
                                        description: |-
                                          Entries contains the available attestors. An attestor can be a static key,
                                          attributes for keyless verification, or a nested attestor declaration.
                                        items:
                                          properties:
                                            annotations:
                                              additionalProperties:
                                                type: string
                                              description: |-
                                                Annotations are used for image verification.
                                                Every specified key-value pair must exist and match in the verified payload.
                                                The payload may contain other key-value pairs.
                                              type: object
                                            attestor:
                                              description: Attestor is a nested set
                                                of Attestor used to specify a more
                                                complex set of match authorities.
                                              x-kubernetes-preserve-unknown-fields: true
                                            certificates:
                                              description: Certificates specifies
                                                one or more certificates.
                                              properties:
                                                cert:
                                                  description: Cert is an optional
                                                    PEM-encoded public certificate.
                                                  type: string
                                                certChain:
                                                  description: CertChain is an optional
                                                    PEM encoded set of certificates
                                                    used to verify.
                                                  type: string
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                              type: object
                                            keyless:
                                              description: |-
                                                Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                                See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                              properties:
                                                additionalExtensions:
                                                  additionalProperties:
                                                    type: string
                                                  description: AdditionalExtensions
                                                    are certificate-extensions used
                                                    for keyless signing.
                                                  type: object
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                issuer:
                                                  description: Issuer is the certificate
                                                    issuer used for keyless signing.
                                                  type: string
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                                roots:
                                                  description: |-
                                                    Roots is an optional set of PEM encoded trusted root certificates.
                                                    If not provided, the system roots are used.
                                                  type: string
                                                subject:
                                                  description: Subject is the verified
                                                    identity used for keyless signing,
                                                    for example the email address.
                                                  type: string
                                              type: object
                                            keys:
                                              description: Keys specifies one or more
                                                public keys.
                                              properties:
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                kms:
                                                  description: |-
                                                    KMS provides the URI to the public key stored in a Key Management System. See:
                                                    https://github.com/sigstore/cosign/blob/main/KMS.md
                                                  type: string
                                                publicKeys:
                                                  description: |-
                                                    Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                                    specified or can be a variable reference to a key specified in a ConfigMap (see
                                                    https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                                    elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                    The named Secret must specify a key `cosign.pub` containing the public key used for
                                                    verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                    When multiple keys are specified each key is processed as a separate staticKey entry
                                                    (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                                  type: string
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                                secret:
                                                  description: Reference to a Secret
                                                    resource that contains a public
                                                    key
                                                  properties:
                                                    name:
                                                      description: Name of the secret.
                                                        The provided secret must contain
                                                        a key named cosign.pub.
                                                      type: string
                                                    namespace:
                                                      description: Namespace name
                                                        where the Secret exists.
                                                      type: string
                                                  required:
                                                  - name
                                                  - namespace
                                                  type: object
                                                signatureAlgorithm:
                                                  default: sha256
                                                  description: Specify signature algorithm
                                                    for public keys. Supported values
                                                    are sha224, sha256, sha384 and
                                                    sha512.
                                                  type: string
                                              type: object
                                            repository:
                                              description: |-
                                                Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                                If specified Repository will override other OCI image repository locations for this Attestor.
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                dryRun:
                                  description: DryRun configuration
                                  properties:
                                    enable:
                                      type: boolean
                                    namespace:
                                      type: string
                                  type: object
                                ignoreFields:
                                  description: Fields which will be ignored while
                                    comparing manifests.
                                  items:
                                    properties:
                                      fields:
                                        items:
                                          type: string
                                        type: array
                                      objects:
                                        items:
                                          properties:
                                            group:
                                              type: string
                                            kind:
                                              type: string
                                            name:
                                              type: string
                                            namespace:
                                              type: string
                                            version:
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                repository:
                                  description: |-
                                    Repository is an optional alternate OCI repository to use for resource bundle reference.
                                    The repository can be overridden per Attestor or Attestation.
                                  type: string
                              type: object
                            message:
                              description: Message specifies a custom message to be
                                displayed on failure.
                              type: string
                            pattern:
                              description: Pattern specifies an overlay-style pattern
                                used to check resources.
                              x-kubernetes-preserve-unknown-fields: true
                            podSecurity:
                              description: |-
                                PodSecurity applies exemptions for Kubernetes Pod Security admission
                                by specifying exclusions for Pod Security Standards controls.
                              properties:
                                exclude:
                                  description: Exclude specifies the Pod Security
                                    Standard controls to be excluded.
                                  items:
                                    description: PodSecurityStandard specifies the
                                      Pod Security Standard controls to be excluded.
                                    properties:
                                      controlName:
                                        description: |-
                                          ControlName specifies the name of the Pod Security Standard control.
                                          See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
                                        enum:
                                        - HostProcess
                                        - Host Namespaces
                                        - Privileged Containers
                                        - Capabilities
                                        - HostPath Volumes
                                        - Host Ports
                                        - AppArmor
                                        - SELinux
                                        - /proc Mount Type
                                        - Seccomp
                                        - Sysctls
                                        - Volume Types
                                        - Privilege Escalation
                                        - Running as Non-root
                                        - Running as Non-root user
                                        type: string
                                      images:
                                        description: |-
                                          Images selects matching containers and applies the container level PSS.
                                          Each image is the image name consisting of the registry address, repository, image, and tag.
                                          Empty list matches no containers, PSS checks are applied at the pod level only.
                                          Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                                        items:
                                          type: string
                                        type: array
                                      restrictedField:
                                        description: |-
                                          RestrictedField selects the field for the given Pod Security Standard control.
                                          When not set, all restricted fields for the control are selected.
                                        type: string
                                      values:
                                        description: Values defines the allowed values
                                          that can be excluded.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - controlName
                                    type: object
                                  type: array
                                level:
                                  description: |-
                                    Level defines the Pod Security Standard level to be applied to workloads.
                                    Allowed values are privileged, baseline, and restricted.
                                  enum:
                                  - privileged
                                  - baseline
                                  - restricted
                                  type: string
                                version:
                                  description: |-
                                    Version defines the Pod Security Standard versions that Kubernetes supports.
                                    Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
                                  enum:
                                  - v1.19
                                  - v1.20
                                  - v1.21
                                  - v1.22
                                  - v1.23
                                  - v1.24
                                  - v1.25
                                  - v1.26
                                  - v1.27
                                  - v1.28
                                  - v1.29
                                  - latest
                                  type: string
                              type: object
                            validationFailureAction:
                              description: |-
                                ValidationFailureAction defines if a validation policy rule violation should block
                                the admission review request (enforce), or allow (audit) the admission review request
                                and report an error in a policy report. Optional.
                                Allowed values are audit or enforce.
                              enum:
                              - audit
                              - enforce
                              - Audit
                              - Enforce
                              type: string
                            validationFailureActionOverrides:
                              description: |-
                                ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
                                namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
                              items:
                                properties:
                                  action:
                                    description: ValidationFailureAction defines the
                                      policy validation failure action
                                    enum:
                                    - audit
                                    - enforce
                                    - Audit
                                    - Enforce
                                    type: string
                                  namespaceSelector:
                                    description: |-
                                      A label selector is a label query over a set of resources. The result of matchLabels and
                                      matchExpressions are ANDed. An empty label selector matches all objects. A null
                                      label selector matches no objects.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    items:
                                      type: string
                                    type: array
                                type: object
                              type: array
                          type: object
                        verifyImages:
                          description: VerifyImages is used to verify image signatures
                            and mutate them to add a digest
                          items:
                            description: |-
                              ImageVerification validates that images that match the specified pattern
                              are signed with the supplied public key. Once the image is verified it is
                              mutated to include the SHA digest retrieved during the registration.
                            properties:
                              additionalExtensions:
                                additionalProperties:
                                  type: string
                                description: Deprecated.
                                type: object
                              annotations:
                                additionalProperties:
                                  type: string
                                description: Deprecated. Use annotations per Attestor
                                  instead.
                                type: object
                              attestations:
                                description: |-
                                  Attestations are optional checks for signed in-toto Statements used to verify the image.
                                  See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
                                  OCI registry and decodes them into a list of Statement declarations.
                                items:
                                  description: |-
                                    Attestation are checks for signed in-toto Statements that are used to verify the image.
                                    See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
                                    OCI registry and decodes them into a list of Statements.
                                  properties:
                                    attestors:
                                      description: Attestors specify the required
                                        attestors (i.e. authorities).
                                      items:
                                        properties:
                                          count:
                                            description: |-
                                              Count specifies the required number of entries that must match. If the count is null, all entries must match
                                              (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                              value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                            minimum: 1
                                            type: integer
                                          entries:
                                            description: |-
                                              Entries contains the available attestors. An attestor can be a static key,
                                              attributes for keyless verification, or a nested attestor declaration.
                                            items:
                                              properties:
                                                annotations:
                                                  additionalProperties:
                                                    type: string
                                                  description: |-
                                                    Annotations are used for image verification.
                                                    Every specified key-value pair must exist and match in the verified payload.
                                                    The payload may contain other key-value pairs.
                                                  type: object
                                                attestor:
                                                  description: Attestor is a nested
                                                    set of Attestor used to specify
                                                    a more complex set of match authorities.
                                                  x-kubernetes-preserve-unknown-fields: true
                                                certificates:
                                                  description: Certificates specifies
                                                    one or more certificates.
                                                  properties:
                                                    cert:
                                                      description: Cert is an optional
                                                        PEM-encoded public certificate.
                                                      type: string
                                                    certChain:
                                                      description: CertChain is an
                                                        optional PEM encoded set of
                                                        certificates used to verify.
                                                      type: string
                                                    ctlog:
                                                      description: |-
                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: |-
                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                            timestamp. Default is false. Set to true if this was opted out during signing.
                                                          type: boolean
                                                        pubkey:
                                                          description: PubKey, if
                                                            set, is used to validate
                                                            SCTs against a custom
                                                            source.
                                                          type: string
                                                        tsaCertChain:
                                                          description: |-
                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                            may contain the leaf TSA certificate if not present in the timestamurce.
                                                          type: string
                                                      type: object
                                                    rekor:
                                                      description: |-
                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                      properties:
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skips transparency log
                                                            verification.
                                                          type: boolean
                                                        pubkey:
                                                          description: |-
                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            Rekor log instance https://rekor.sigstore.dev.
                                                          type: string
                                                      type: object
                                                  type: object
                                                keyless:
                                                  description: |-
                                                    Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                                    See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                                  properties:
                                                    additionalExtensions:
                                                      additionalProperties:
                                                        type: string
                                                      description: AdditionalExtensions
                                                        are certificate-extensions
                                                        used for keyless signing.
                                                      type: object
                                                    ctlog:
                                                      description: |-
                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: |-
                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                            timestamp. Default is false. Set to true if this was opted out during signing.
                                                          type: boolean
                                                        pubkey:
                                                          description: PubKey, if
                                                            set, is used to validate
                                                            SCTs against a custom
                                                            source.
                                                          type: string
                                                        tsaCertChain:
                                                          description: |-
                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                            may contain the leaf TSA certificate if not present in the timestamurce.
                                                          type: string
                                                      type: object
                                                    issuer:
                                                      description: Issuer is the certificate
                                                        issuer used for keyless signing.
                                                      type: string
                                                    rekor:
                                                      description: |-
                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                      properties:
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skips transparency log
                                                            verification.
                                                          type: boolean
                                                        pubkey:
                                                          description: |-
                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            Rekor log instance https://rekor.sigstore.dev.
                                                          type: string
                                                      type: object
                                                    roots:
                                                      description: |-
                                                        Roots is an optional set of PEM encoded trusted root certificates.
                                                        If not provided, the system roots are used.
                                                      type: string
                                                    subject:
                                                      description: Subject is the
                                                        verified identity used for
                                                        keyless signing, for example
                                                        the email address.
                                                      type: string
                                                  type: object
                                                keys:
                                                  description: Keys specifies one
                                                    or more public keys.
                                                  properties:
                                                    ctlog:
                                                      description: |-
                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: |-
                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                            timestamp. Default is false. Set to true if this was opted out during signing.
                                                          type: boolean
                                                        pubkey:
                                                          description: PubKey, if
                                                            set, is used to validate
                                                            SCTs against a custom
                                                            source.
                                                          type: string
                                                        tsaCertChain:
                                                          description: |-
                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                            may contain the leaf TSA certificate if not present in the timestamurce.
                                                          type: string
                                                      type: object
                                                    kms:
                                                      description: |-
                                                        KMS provides the URI to the public key stored in a Key Management System. See:
                                                        https://github.com/sigstore/cosign/blob/main/KMS.md
                                                      type: string
                                                    publicKeys:
                                                      description: |-
                                                        Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                                        specified or can be a variable reference to a key specified in a ConfigMap (see
                                                        https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                                        elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                        The named Secret must specify a key `cosign.pub` containing the public key used for
                                                        verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                        When multiple keys are specified each key is processed as a separate staticKey entry
                                                        (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                                      type: string
                                                    rekor:
                                                      description: |-
                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                      properties:
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skips transparency log
                                                            verification.
                                                          type: boolean
                                                        pubkey:
                                                          description: |-
                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            Rekor log instance https://rekor.sigstore.dev.
                                                          type: string
                                                      type: object
                                                    secret:
                                                      description: Reference to a
                                                        Secret resource that contains
                                                        a public key
                                                      properties:
                                                        name:
                                                          description: Name of the
                                                            secret. The provided secret
                                                            must contain a key named
                                                            cosign.pub.
                                                          type: string
                                                        namespace:
                                                          description: Namespace name
                                                            where the Secret exists.
                                                          type: string
                                                      required:
                                                      - name
                                                      - namespace
                                                      type: object
                                                    signatureAlgorithm:
                                                      default: sha256
                                                      description: Specify signature
                                                        algorithm for public keys.
                                                        Supported values are sha224,
                                                        sha256, sha384 and sha512.
                                                      type: string
                                                  type: object
                                                repository:
                                                  description: |-
                                                    Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                                    If specified Repository will override other OCI image repository locations for this Attestor.
                                                  type: string
                                              type: object
                                            type: array
                                        type: object
                                      type: array
                                    conditions:
                                      description: |-
                                        Conditions are used to verify attributes within a Predicate. If no Conditions are specified
                                        the attestation check is satisfied as long there are predicates that match the predicate type.
                                      items:
                                        description: |-
                                          AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
                                          AnyConditions get fulfilled when at least one of its sub-conditions passes.
                                          AllConditions get fulfilled only when all of its sub-conditions pass.
                                        properties:
                                          all:
                                            description: |-
                                              AllConditions enable variable-based conditional rule execution. This is useful for
                                              finer control of when an rule is applied. A condition can reference object data
                                              using JMESPath notation.
                                              Here, all of the conditions need to pass
                                            items:
                                              description: Condition defines variable-based
                                                conditional criteria for rule execution.
                                              properties:
                                                key:
                                                  description: Key is the context
                                                    entry (using JMESPath) for conditional
                                                    rule evaluation.
                                                  x-kubernetes-preserve-unknown-fields: true
                                                message:
                                                  description: Message is an optional
                                                    display message
                                                  type: string
                                                operator:
                                                  description: |-
                                                    Operator is the conditional operation to perform. Valid operators are:
                                                    Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                    GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                    DurationLessThanOrEquals, DurationLessThan
                                                  enum:
                                                  - Equals
                                                  - NotEquals
                                                  - In
                                                  - AnyIn
                                                  - AllIn
                                                  - NotIn
                                                  - AnyNotIn
                                                  - AllNotIn
                                                  - GreaterThanOrEquals
                                                  - GreaterThan
                                                  - LessThanOrEquals
                                                  - LessThan
                                                  - DurationGreaterThanOrEquals
                                                  - DurationGreaterThan
                                                  - DurationLessThanOrEquals
                                                  - DurationLessThan
                                                  type: string
                                                value:
                                                  description: |-
                                                    Value is the conditional value, or set of values. The values can be fixed set
                                                    or can be variables declared using JMESPath.
                                                  x-kubernetes-preserve-unknown-fields: true
                                              type: object
                                            type: array
                                          any:
                                            description: |-
                                              AnyConditions enable variable-based conditional rule execution. This is useful for
                                              finer control of when an rule is applied. A condition can reference object data
                                              using JMESPath notation.
                                              Here, at least one of the conditions need to pass
                                            items:
                                              description: Condition defines variable-based
                                                conditional criteria for rule execution.
                                              properties:
                                                key:
                                                  description: Key is the context
                                                    entry (using JMESPath) for conditional
                                                    rule evaluation.
                                                  x-kubernetes-preserve-unknown-fields: true
                                                message:
                                                  description: Message is an optional
                                                    display message
                                                  type: string
                                                operator:
                                                  description: |-
                                                    Operator is the conditional operation to perform. Valid operators are:
                                                    Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                    GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                    DurationLessThanOrEquals, DurationLessThan
                                                  enum:
                                                  - Equals
                                                  - NotEquals
                                                  - In
                                                  - AnyIn
                                                  - AllIn
                                                  - NotIn
                                                  - AnyNotIn
                                                  - AllNotIn
                                                  - GreaterThanOrEquals
                                                  - GreaterThan
                                                  - LessThanOrEquals
                                                  - LessThan
                                                  - DurationGreaterThanOrEquals
                                                  - DurationGreaterThan
                                                  - DurationLessThanOrEquals
                                                  - DurationLessThan
                                                  type: string
                                                value:
                                                  description: |-
                                                    Value is the conditional value, or set of values. The values can be fixed set
                                                    or can be variables declared using JMESPath.
                                                  x-kubernetes-preserve-unknown-fields: true
                                              type: object
                                            type: array
                                        type: object
                                      type: array
                                    predicateType:
                                      description: Deprecated in favour of 'Type',
                                        to be removed soon
                                      type: string
                                    type:
                                      description: Type defines the type of attestation
                                        contained within the Statement.
                                      type: string
                                  type: object
                                type: array
                              attestors:
                                description: Attestors specified the required attestors
                                  (i.e. authorities)
                                items:
                                  properties:
                                    count:
                                      description: |-
                                        Count specifies the required number of entries that must match. If the count is null, all entries must match
                                        (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                        value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                      minimum: 1
                                      type: integer
                                    entries:
                                      description: |-
                                        Entries contains the available attestors. An attestor can be a static key,
                                        attributes for keyless verification, or a nested attestor declaration.
                                      items:
                                        properties:
                                          annotations:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              Annotations are used for image verification.
                                              Every specified key-value pair must exist and match in the verified payload.
                                              The payload may contain other key-value pairs.
                                            type: object
                                          attestor:
                                            description: Attestor is a nested set
                                              of Attestor used to specify a more complex
                                              set of match authorities.
                                            x-kubernetes-preserve-unknown-fields: true
                                          certificates:
                                            description: Certificates specifies one
                                              or more certificates.
                                            properties:
                                              cert:
                                                description: Cert is an optional PEM-encoded
                                                  public certificate.
                                                type: string
                                              certChain:
                                                description: CertChain is an optional
                                                  PEM encoded set of certificates
                                                  used to verify.
                                                type: string
                                              ctlog:
                                                description: |-
                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: |-
                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                      timestamp. Default is false. Set to true if this was opted out during signing.
                                                    type: boolean
                                                  pubkey:
                                                    description: PubKey, if set, is
                                                      used to validate SCTs against
                                                      a custom source.
                                                    type: string
                                                  tsaCertChain:
                                                    description: |-
                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                      may contain the leaf TSA certificate if not present in the timestamurce.
                                                    type: string
                                                type: object
                                              rekor:
                                                description: |-
                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                properties:
                                                  ignoreTlog:
                                                    description: IgnoreTlog skips
                                                      transparency log verification.
                                                    type: boolean
                                                  pubkey:
                                                    description: |-
                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public Rekor log instance
                                                      https://rekor.sigstore.dev.
                                                    type: string
                                                type: object
                                            type: object
                                          keyless:
                                            description: |-
                                              Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                              See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                            properties:
                                              additionalExtensions:
                                                additionalProperties:
                                                  type: string
                                                description: AdditionalExtensions
                                                  are certificate-extensions used
                                                  for keyless signing.
                                                type: object
                                              ctlog:
                                                description: |-
                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: |-
                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                      timestamp. Default is false. Set to true if this was opted out during signing.
                                                    type: boolean
                                                  pubkey:
                                                    description: PubKey, if set, is
                                                      used to validate SCTs against
                                                      a custom source.
                                                    type: string
                                                  tsaCertChain:
                                                    description: |-
                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                      may contain the leaf TSA certificate if not present in the timestamurce.
                                                    type: string
                                                type: object
                                              issuer:
                                                description: Issuer is the certificate
                                                  issuer used for keyless signing.
                                                type: string
                                              rekor:
                                                description: |-
                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                properties:
                                                  ignoreTlog:
                                                    description: IgnoreTlog skips
                                                      transparency log verification.
                                                    type: boolean
                                                  pubkey:
                                                    description: |-
                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public Rekor log instance
                                                      https://rekor.sigstore.dev.
                                                    type: string
                                                type: object
                                              roots:
                                                description: |-
                                                  Roots is an optional set of PEM encoded trusted root certificates.
                                                  If not provided, the system roots are used.
                                                type: string
                                              subject:
                                                description: Subject is the verified
                                                  identity used for keyless signing,
                                                  for example the email address.
                                                type: string
                                            type: object
                                          keys:
                                            description: Keys specifies one or more
                                              public keys.
                                            properties:
                                              ctlog:
                                                description: |-
                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: |-
                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                      timestamp. Default is false. Set to true if this was opted out during signing.
                                                    type: boolean
                                                  pubkey:
                                                    description: PubKey, if set, is
                                                      used to validate SCTs against
                                                      a custom source.
                                                    type: string
                                                  tsaCertChain:
                                                    description: |-
                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                      may contain the leaf TSA certificate if not present in the timestamurce.
                                                    type: string
                                                type: object
                                              kms:
                                                description: |-
                                                  KMS provides the URI to the public key stored in a Key Management System. See:
                                                  https://github.com/sigstore/cosign/blob/main/KMS.md
                                                type: string
                                              publicKeys:
                                                description: |-
                                                  Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                                  specified or can be a variable reference to a key specified in a ConfigMap (see
                                                  https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                                  elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                  The named Secret must specify a key `cosign.pub` containing the public key used for
                                                  verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                  When multiple keys are specified each key is processed as a separate staticKey entry
                                                  (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                                type: string
                                              rekor:
                                                description: |-
                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                properties:
                                                  ignoreTlog:
                                                    description: IgnoreTlog skips
                                                      transparency log verification.
                                                    type: boolean
                                                  pubkey:
                                                    description: |-
                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public Rekor log instance
                                                      https://rekor.sigstore.dev.
                                                    type: string
                                                type: object
                                              secret:
                                                description: Reference to a Secret
                                                  resource that contains a public
                                                  key
                                                properties:
                                                  name:
                                                    description: Name of the secret.
                                                      The provided secret must contain
                                                      a key named cosign.pub.
                                                    type: string
                                                  namespace:
                                                    description: Namespace name where
                                                      the Secret exists.
                                                    type: string
                                                required:
                                                - name
                                                - namespace
                                                type: object
                                              signatureAlgorithm:
                                                default: sha256
                                                description: Specify signature algorithm
                                                  for public keys. Supported values
                                                  are sha224, sha256, sha384 and sha512.
                                                type: string
                                            type: object
                                          repository:
                                            description: |-
                                              Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                              If specified Repository will override other OCI image repository locations for this Attestor.
                                            type: string
                                        type: object
                                      type: array
                                  type: object
                                type: array
                              cosignOCI11:
                                description: |-
                                  CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
                                  Defaults to false.
                                type: boolean
                              image:
                                description: Deprecated. Use ImageReferences instead.
                                type: string
                              imageReferences:
                                description: |-
                                  ImageReferences is a list of matching image reference patterns. At least one pattern in the
                                  list must match the image for the rule to apply. Each image reference consists of a registry
                                  address (defaults to docker.io), repository, image, and tag (defaults to latest).
                                  Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                                items:
                                  type: string
                                type: array
                              imageRegistryCredentials:
                                description: ImageRegistryCredentials provides credentials
                                  that will be used for authentication with registry.
                                properties:
                                  allowInsecureRegistry:
                                    description: AllowInsecureRegistry allows insecure
                                      access to a registry.
                                    type: boolean
                                  providers:
                                    description: |-
                                      Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                      It can be of one of these values: default,google,azure,amazon,github.
                                    items:
                                      description: ImageRegistryCredentialsProvidersType
                                        provides the list of credential providers
                                        required.
                                      enum:
                                      - default
                                      - amazon
                                      - azure
                                      - google
                                      - github
                                      type: string
                                    type: array
                                  secrets:
                                    description: |-
                                      Secrets specifies a list of secrets that are provided for credentials.
                                      Secrets must live in the Kyverno namespace.
                                    items:
                                      type: string
                                    type: array
                                type: object
                              issuer:
                                description: Deprecated. Use KeylessAttestor instead.
                                type: string
                              key:
                                description: Deprecated. Use StaticKeyAttestor instead.
                                type: string
                              mutateDigest:
                                default: true
                                description: |-
                                  MutateDigest enables replacement of image tags with digests.
                                  Defaults to true.
                                type: boolean
                              repository:
                                description: |-
                                  Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
                                  If specified Repository will override the default OCI image repository configured for the installation.
                                  The repository can also be overridden per Attestor or Attestation.
                                type: string
                              required:
                                default: true
                                description: Required validates that images are verified
                                  i.e. have matched passed a signature or attestation
                                  check.
                                type: boolean
                              roots:
                                description: Deprecated. Use KeylessAttestor instead.
                                type: string
                              skipImageReferences:
                                description: |-
                                  SkipImageReferences is a list of matching image reference patterns that should be skipped.
                                  At least one pattern in the list must match the image for the rule to be skipped. Each image reference
                                  consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
                                  Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                                items:
                                  type: string
                                type: array
                              subject:
                                description: Deprecated. Use KeylessAttestor instead.
                                type: string
                              type:
                                description: |-
                                  Type specifies the method of signature validation. The allowed options
                                  are Cosign and Notary. By default Cosign is used if a type is not specified.
                                enum:
                                - Cosign
                                - Notary
                                type: string
                              useCache:
                                default: true
                                description: UseCache enables caching of image verify
                                  responses for this rule.
                                type: boolean
                              verifyDigest:
                                default: true
                                description: VerifyDigest validates that images have
                                  a digest.
                                type: boolean
                            type: object
                          type: array
                      required:
                      - name
                      type: object
                    type: array
                type: object
              conditions:
                items:
                  description: "Condition contains details for one aspect of the current
                    state of this API Resource.\n---\nThis struct is intended for
                    direct use as an array at the field path .status.conditions.  For
                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
                    observations of a foo's current state.\n\t    // Known .status.conditions.type
                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
                    \   // other fields\n\t}"
                  properties:
                    lastTransitionTime:
                      description: |-
                        lastTransitionTime is the last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
                        message is a human readable message indicating details about the transition.
                        This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
                      description: |-
                        observedGeneration represents the .metadata.generation that the condition was set based upon.
                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
                        with respect to the current state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
                      description: |-
                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
                        Producers of specific condition types may define expected values and meanings for this field,
                        and whether the values are considered a guaranteed API.
                        The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
                      enum:
                      - "True"
                      - "False"
                      - Unknown
                      type: string
                    type:
                      description: |-
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        ---
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
                        useful (see .node.status.conditions), the ability to deconflict is important.
                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
                  required:
                  - lastTransitionTime
                  - message
                  - reason
                  - status
                  - type
                  type: object
                type: array
              ready:
                description: Deprecated in favor of Conditions
                type: boolean
              rulecount:
                description: |-
                  RuleCountStatus contains four variables which describes counts for
                  validate, generate, mutate and verify images rules
                properties:
                  generate:
                    description: Count for generate rules in policy
                    type: integer
                  mutate:
                    description: Count for mutate rules in policy
                    type: integer
                  validate:
                    description: Count for validate rules in policy
                    type: integer
                  verifyimages:
                    description: Count for verify image rules in policy
                    type: integer
                required:
                - generate
                - mutate
                - validate
                - verifyimages
                type: object
              validatingadmissionpolicy:
                description: ValidatingAdmissionPolicy contains status information
                properties:
                  generated:
                    description: Generated indicates whether a validating admission
                      policy is generated from the policy or not
                    type: boolean
                  message:
                    description: |-
                      Message is a human readable message indicating details about the generation of validating admission policy
                      It is an empty string when validating admission policy is successfully generated.
                    type: string
                required:
                - generated
                - message
                type: object
            required:
            - ready
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
  - additionalPrinterColumns:
    - jsonPath: .spec.admission
      name: ADMISSION
      type: boolean
    - jsonPath: .spec.background
      name: BACKGROUND
      type: boolean
    - jsonPath: .spec.validationFailureAction
      name: VALIDATE ACTION
      type: string
    - jsonPath: .status.conditions[?(@.type == "Ready")].status
      name: READY
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: AGE
      type: date
    - jsonPath: .spec.failurePolicy
      name: FAILURE POLICY
      priority: 1
      type: string
    - jsonPath: .status.rulecount.validate
      name: VALIDATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.mutate
      name: MUTATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.generate
      name: GENERATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.verifyimages
      name: VERIFY IMAGES
      priority: 1
      type: integer
    - jsonPath: .status.conditions[?(@.type == "Ready")].message
      name: MESSAGE
      type: string
    name: v2beta1
    schema:
      openAPIV3Schema:
        description: |-
          Policy declares validation, mutation, and generation behaviors for matching resources.
          See: https://kyverno.io/docs/writing-policies/ for more information.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: Spec defines policy behaviors and contains one or more rules.
            properties:
              admission:
                default: true
                description: |-
                  Admission controls if rules are applied during admission.
                  Optional. Default value is "true".
                type: boolean
              applyRules:
                description: |-
                  ApplyRules controls how rules in a policy are applied. Rule are processed in
                  the order of declaration. When set to `One` processing stops after a rule has
                  been applied i.e. the rule matches and results in a pass, fail, or error. When
                  set to `All` all rules in the policy are processed. The default is `All`.
                enum:
                - All
                - One
                type: string
              background:
                default: true
                description: |-
                  Background controls if rules are applied to existing resources during a background scan.
                  Optional. Default value is "true". The value must be set to "false" if the policy rule
                  uses variables that are only available in the admission review request (e.g. user name).
                type: boolean
              failurePolicy:
                description: Deprecated, use failurePolicy under the webhookConfiguration
                  instead.
                enum:
                - Ignore
                - Fail
                type: string
              generateExisting:
                description: Deprecated, use generateExisting under the generate rule
                  instead
                type: boolean
              generateExistingOnPolicyUpdate:
                description: Deprecated, use generateExisting instead
                type: boolean
              mutateExistingOnPolicyUpdate:
                description: Deprecated, use mutateExistingOnPolicyUpdate under the
                  mutate rule instead
                type: boolean
              rules:
                description: |-
                  Rules is a list of Rule instances. A Policy contains multiple rules and
                  each rule can validate, mutate, or generate resources.
                items:
                  description: |-
                    Rule defines a validation, mutation, or generation control for matching resources.
                    Each rules contains a match declaration to select resources, and an optional exclude
                    declaration to specify which resources to exclude.
                  properties:
                    celPreconditions:
                      description: |-
                        CELPreconditions are used to determine if a policy rule should be applied by evaluating a
                        set of CEL conditions. It can only be used with the validate.cel subrule
                      items:
                        description: MatchCondition represents a condition which must
                          by fulfilled for a request to be sent to a webhook.
                        properties:
                          expression:
                            description: |-
                              Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
                              CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:


                              'object' - The object from the incoming request. The value is null for DELETE requests.
                              'oldObject' - The existing object. The value is null for CREATE requests.
                              'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
                              'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
                                See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                              'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
                                request resource.
                              Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/


                              Required.
                            type: string
                          name:
                            description: |-
                              Name is an identifier for this match condition, used for strategic merging of MatchConditions,
                              as well as providing an identifier for logging purposes. A good name should be descriptive of
                              the associated expression.
                              Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
                              must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
                              '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
                              optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')


                              Required.
                            type: string
                        required:
                        - expression
                        - name
                        type: object
                      type: array
                    context:
                      description: Context defines variables and data sources that
                        can be used during rule execution.
                      items:
                        description: |-
                          ContextEntry adds variables and data sources to a rule Context. Either a
                          ConfigMap reference or a APILookup must be provided.
                        properties:
                          apiCall:
                            description: |-
                              APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                              The data returned is stored in the context with the name for the context entry.
                            properties:
                              data:
                                description: |-
                                  The data object specifies the POST data sent to the server.
                                  Only applicable when the method field is set to POST.
                                items:
                                  description: RequestData contains the HTTP POST
                                    data
                                  properties:
                                    key:
                                      description: Key is a unique identifier for
                                        the data value
                                      type: string
                                    value:
                                      description: Value is the data value
                                      x-kubernetes-preserve-unknown-fields: true
                                  required:
                                  - key
                                  - value
                                  type: object
                                type: array
                              jmesPath:
                                description: |-
                                  JMESPath is an optional JSON Match Expression that can be used to
                                  transform the JSON response returned from the server. For example
                                  a JMESPath of "items | length(@)" applied to the API server response
                                  for the URLPath "/apis/apps/v1/deployments" will return the total count
                                  of deployments across all namespaces.
                                type: string
                              method:
                                default: GET
                                description: Method is the HTTP request type (GET
                                  or POST). Defaults to GET.
                                enum:
                                - GET
                                - POST
                                type: string
                              service:
                                description: |-
                                  Service is an API call to a JSON web service.
                                  This is used for non-Kubernetes API server calls.
                                  It's mutually exclusive with the URLPath field.
                                properties:
                                  caBundle:
                                    description: |-
                                      CABundle is a PEM encoded CA bundle which will be used to validate
                                      the server certificate.
                                    type: string
                                  url:
                                    description: |-
                                      URL is the JSON web service URL. A typical form is
                                      `https://{service}.{namespace}:{port}/{path}`.
                                    type: string
                                required:
                                - url
                                type: object
                              urlPath:
                                description: |-
                                  URLPath is the URL path to be used in the HTTP GET or POST request to the
                                  Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                  The format required is the same format used by the `kubectl get --raw` command.
                                  See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                  for details.
                                  It's mutually exclusive with the Service field.
                                type: string
                            type: object
                          configMap:
                            description: ConfigMap is the ConfigMap reference.
                            properties:
                              name:
                                description: Name is the ConfigMap name.
                                type: string
                              namespace:
                                description: Namespace is the ConfigMap namespace.
                                type: string
                            required:
                            - name
                            type: object
                          globalReference:
                            description: GlobalContextEntryReference is a reference
                              to a cached global context entry.
                            properties:
                              jmesPath:
                                description: |-
                                  JMESPath is an optional JSON Match Expression that can be used to
                                  transform the JSON response returned from the server. For example
                                  a JMESPath of "items | length(@)" applied to the API server response
                                  for the URLPath "/apis/apps/v1/deployments" will return the total count
                                  of deployments across all namespaces.
                                type: string
                              name:
                                description: Name of the global context entry
                                type: string
                            type: object
                          imageRegistry:
                            description: |-
                              ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                              details.
                            properties:
                              imageRegistryCredentials:
                                description: ImageRegistryCredentials provides credentials
                                  that will be used for authentication with registry
                                properties:
                                  allowInsecureRegistry:
                                    description: AllowInsecureRegistry allows insecure
                                      access to a registry.
                                    type: boolean
                                  providers:
                                    description: |-
                                      Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                      It can be of one of these values: default,google,azure,amazon,github.
                                    items:
                                      description: ImageRegistryCredentialsProvidersType
                                        provides the list of credential providers
                                        required.
                                      enum:
                                      - default
                                      - amazon
                                      - azure
                                      - google
                                      - github
                                      type: string
                                    type: array
                                  secrets:
                                    description: |-
                                      Secrets specifies a list of secrets that are provided for credentials.
                                      Secrets must live in the Kyverno namespace.
                                    items:
                                      type: string
                                    type: array
                                type: object
                              jmesPath:
                                description: |-
                                  JMESPath is an optional JSON Match Expression that can be used to
                                  transform the ImageData struct returned as a result of processing
                                  the image reference.
                                type: string
                              reference:
                                description: |-
                                  Reference is image reference to a container image in the registry.
                                  Example: ghcr.io/kyverno/kyverno:latest
                                type: string
                            required:
                            - reference
                            type: object
                          name:
                            description: Name is the variable name.
                            type: string
                          variable:
                            description: Variable defines an arbitrary JMESPath context
                              variable that can be defined inline.
                            properties:
                              default:
                                description: |-
                                  Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                  expression evaluates to nil
                                x-kubernetes-preserve-unknown-fields: true
                              jmesPath:
                                description: |-
                                  JMESPath is an optional JMESPath Expression that can be used to
                                  transform the variable.
                                type: string
                              value:
                                description: Value is any arbitrary JSON object representable
                                  in YAML or JSON form.
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                        type: object
                      type: array
                    exclude:
                      description: |-
                        ExcludeResources defines when this policy rule should not be applied. The exclude
                        criteria can include resource information (e.g. kind, name, namespace, labels)
                        and admission review request information like the name or role.
                      properties:
                        all:
                          description: All allows specifying resources which will
                            be ANDed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: |-
                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                      and values support the wildcard characters "*" (matches zero or many characters) and
                                      "?" (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: |-
                                      Name is the name of the resource. The name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                      NOTE: "Name" is being deprecated in favor of "Names".
                                    type: string
                                  names:
                                    description: |-
                                      Names are the names of the resources. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: |-
                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                      and `?` (matches one character).Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                      does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: |-
                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: |-
                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                      characters `*` (matches zero or many characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: |-
                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                    or a value for non-objects such as user and group names.
                                  properties:
                                    apiGroup:
                                      description: |-
                                        APIGroup holds the API group of the referenced subject.
                                        Defaults to "" for ServiceAccount subjects.
                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                      type: string
                                    kind:
                                      description: |-
                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: |-
                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        any:
                          description: Any allows specifying resources which will
                            be ORed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: |-
                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                      and values support the wildcard characters "*" (matches zero or many characters) and
                                      "?" (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: |-
                                      Name is the name of the resource. The name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                      NOTE: "Name" is being deprecated in favor of "Names".
                                    type: string
                                  names:
                                    description: |-
                                      Names are the names of the resources. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: |-
                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                      and `?` (matches one character).Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                      does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: |-
                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: |-
                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                      characters `*` (matches zero or many characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: |-
                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                    or a value for non-objects such as user and group names.
                                  properties:
                                    apiGroup:
                                      description: |-
                                        APIGroup holds the API group of the referenced subject.
                                        Defaults to "" for ServiceAccount subjects.
                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                      type: string
                                    kind:
                                      description: |-
                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: |-
                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                      type: object
                    generate:
                      description: Generation is used to create new resources.
                      properties:
                        apiVersion:
                          description: APIVersion specifies resource apiVersion.
                          type: string
                        clone:
                          description: |-
                            Clone specifies the source resource used to populate each generated resource.
                            At most one of Data or Clone can be specified. If neither are provided, the generated
                            resource will be created with default data only.
                          properties:
                            name:
                              description: Name specifies name of the resource.
                              type: string
                            namespace:
                              description: Namespace specifies source resource namespace.
                              type: string
                          type: object
                        cloneList:
                          description: CloneList specifies the list of source resource
                            used to populate each generated resource.
                          properties:
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            namespace:
                              description: Namespace specifies source resource namespace.
                              type: string
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels`.
                                wildcard characters are not supported.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        data:
                          description: |-
                            Data provides the resource declaration used to populate each generated resource.
                            At most one of Data or Clone must be specified. If neither are provided, the generated
                            resource will be created with default data only.
                          x-kubernetes-preserve-unknown-fields: true
                        generateExisting:
                          description: |-
                            GenerateExisting controls whether to trigger the rule in existing resources
                            If is set to "true" the rule will be triggered and applied to existing matched resources.
                          type: boolean
                        kind:
                          description: Kind specifies resource kind.
                          type: string
                        name:
                          description: Name specifies the resource name.
                          type: string
                        namespace:
                          description: Namespace specifies resource namespace.
                          type: string
                        orphanDownstreamOnPolicyDelete:
                          description: |-
                            OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
                            them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
                            See https://kyverno.io/docs/writing-policies/generate/#data-examples.
                            Defaults to "false" if not specified.
                          type: boolean
                        synchronize:
                          description: |-
                            Synchronize controls if generated resources should be kept in-sync with their source resource.
                            If Synchronize is set to "true" changes to generated resources will be overwritten with resource
                            data from Data or the resource specified in the Clone declaration.
                            Optional. Defaults to "false" if not specified.
                          type: boolean
                        uid:
                          description: UID specifies the resource uid.
                          type: string
                      type: object
                    imageExtractors:
                      additionalProperties:
                        items:
                          properties:
                            jmesPath:
                              description: |-
                                JMESPath is an optional JMESPath expression to apply to the image value.
                                This is useful when the extracted image begins with a prefix like 'docker://'.
                                The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
                                Note - Image digest mutation may not be used when applying a JMESPAth to an image.
                              type: string
                            key:
                              description: |-
                                Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
                                Note - this field MUST be unique.
                              type: string
                            name:
                              description: |-
                                Name is the entry the image will be available under 'images.<name>' in the context.
                                If this field is not defined, image entries will appear under 'images.custom'.
                              type: string
                            path:
                              description: |-
                                Path is the path to the object containing the image field in a custom resource.
                                It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
                                Wildcard keys are expanded in case of arrays or objects.
                              type: string
                            value:
                              description: |-
                                Value is an optional name of the field within 'path' that points to the image URI.
                                This is useful when a custom 'key' is also defined.
                              type: string
                          required:
                          - path
                          type: object
                        type: array
                      description: |-
                        ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
                        This config is only valid for verifyImages rules.
                      type: object
                    match:
                      description: |-
                        MatchResources defines when this policy rule should be applied. The match
                        criteria can include resource information (e.g. kind, name, namespace, labels)
                        and admission review request information like the user name or role.
                        At least one kind is required.
                      properties:
                        all:
                          description: All allows specifying resources which will
                            be ANDed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: |-
                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                      and values support the wildcard characters "*" (matches zero or many characters) and
                                      "?" (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: |-
                                      Name is the name of the resource. The name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                      NOTE: "Name" is being deprecated in favor of "Names".
                                    type: string
                                  names:
                                    description: |-
                                      Names are the names of the resources. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: |-
                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                      and `?` (matches one character).Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                      does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: |-
                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: |-
                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                      characters `*` (matches zero or many characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: |-
                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                    or a value for non-objects such as user and group names.
                                  properties:
                                    apiGroup:
                                      description: |-
                                        APIGroup holds the API group of the referenced subject.
                                        Defaults to "" for ServiceAccount subjects.
                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                      type: string
                                    kind:
                                      description: |-
                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: |-
                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        any:
                          description: Any allows specifying resources which will
                            be ORed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: |-
                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                      and values support the wildcard characters "*" (matches zero or many characters) and
                                      "?" (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: |-
                                      Name is the name of the resource. The name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                      NOTE: "Name" is being deprecated in favor of "Names".
                                    type: string
                                  names:
                                    description: |-
                                      Names are the names of the resources. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: |-
                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                      and `?` (matches one character).Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                      does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: |-
                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?" (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: |-
                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                      characters `*` (matches zero or many characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: |-
                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                    or a value for non-objects such as user and group names.
                                  properties:
                                    apiGroup:
                                      description: |-
                                        APIGroup holds the API group of the referenced subject.
                                        Defaults to "" for ServiceAccount subjects.
                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                      type: string
                                    kind:
                                      description: |-
                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: |-
                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                      type: object
                    mutate:
                      description: Mutation is used to modify matching resources.
                      properties:
                        foreach:
                          description: ForEach applies mutation rules to a list of
                            sub-elements by creating a context for each entry in the
                            list and looping over it to apply the specified logic.
                          items:
                            description: ForEachMutation applies mutation rules to
                              a list of sub-elements by creating a context for each
                              entry in the list and looping over it to apply the specified
                              logic.
                            properties:
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: |-
                                    ContextEntry adds variables and data sources to a rule Context. Either a
                                    ConfigMap reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: |-
                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context with the name for the context entry.
                                      properties:
                                        data:
                                          description: |-
                                            The data object specifies the POST data sent to the server.
                                            Only applicable when the method field is set to POST.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST). Defaults to GET.
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: |-
                                            Service is an API call to a JSON web service.
                                            This is used for non-Kubernetes API server calls.
                                            It's mutually exclusive with the URLPath field.
                                          properties:
                                            caBundle:
                                              description: |-
                                                CABundle is a PEM encoded CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: |-
                                                URL is the JSON web service URL. A typical form is
                                                `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: |-
                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                            The format required is the same format used by the `kubectl get --raw` command.
                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                            It's mutually exclusive with the Service field.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    globalReference:
                                      description: GlobalContextEntryReference is
                                        a reference to a cached global context entry.
                                      properties:
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        name:
                                          description: Name of the global context
                                            entry
                                          type: string
                                      type: object
                                    imageRegistry:
                                      description: |-
                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry.
                                              type: boolean
                                            providers:
                                              description: |-
                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                It can be of one of these values: default,google,azure,amazon,github.
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: |-
                                                Secrets specifies a list of secrets that are provided for credentials.
                                                Secrets must live in the Kyverno namespace.
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the ImageData struct returned as a result of processing
                                            the image reference.
                                          type: string
                                        reference:
                                          description: |-
                                            Reference is image reference to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: |-
                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                            expression evaluates to nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JMESPath Expression that can be used to
                                            transform the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              foreach:
                                description: Foreach declares a nested foreach iterator
                                x-kubernetes-preserve-unknown-fields: true
                              list:
                                description: |-
                                  List specifies a JMESPath expression that results in one or more elements
                                  to which the validation logic is applied.
                                type: string
                              order:
                                description: |-
                                  Order defines the iteration order on the list.
                                  Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
                                enum:
                                - Ascending
                                - Descending
                                type: string
                              patchStrategicMerge:
                                description: |-
                                  PatchStrategicMerge is a strategic merge patch used to modify resources.
                                  See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                  and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                                x-kubernetes-preserve-unknown-fields: true
                              patchesJson6902:
                                description: |-
                                  PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
                                  See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                                type: string
                              preconditions:
                                description: |-
                                  AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
                                  set of conditions. The declaration can contain nested `any` or `all` statements.
                                  See: https://kyverno.io/docs/writing-policies/preconditions/
                                properties:
                                  all:
                                    description: |-
                                      AllConditions enable variable-based conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A condition can reference object data
                                      using JMESPath notation.
                                      Here, all of the conditions need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: |-
                                            Operator is the conditional operation to perform. Valid operators are:
                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: |-
                                            Value is the conditional value, or set of values. The values can be fixed set
                                            or can be variables declared using JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                  any:
                                    description: |-
                                      AnyConditions enable variable-based conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A condition can reference object data
                                      using JMESPath notation.
                                      Here, at least one of the conditions need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: |-
                                            Operator is the conditional operation to perform. Valid operators are:
                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: |-
                                            Value is the conditional value, or set of values. The values can be fixed set
                                            or can be variables declared using JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                type: object
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                        mutateExistingOnPolicyUpdate:
                          description: MutateExistingOnPolicyUpdate controls if the
                            mutateExisting rule will be applied on policy events.
                          type: boolean
                        patchStrategicMerge:
                          description: |-
                            PatchStrategicMerge is a strategic merge patch used to modify resources.
                            See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                          x-kubernetes-preserve-unknown-fields: true
                        patchesJson6902:
                          description: |-
                            PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
                            See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                          type: string
                        targets:
                          description: Targets defines the target resources to be
                            mutated.
                          items:
                            description: TargetResourceSpec defines targets for mutating
                              existing resources.
                            properties:
                              apiVersion:
                                description: APIVersion specifies resource apiVersion.
                                type: string
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: |-
                                    ContextEntry adds variables and data sources to a rule Context. Either a
                                    ConfigMap reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: |-
                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context with the name for the context entry.
                                      properties:
                                        data:
                                          description: |-
                                            The data object specifies the POST data sent to the server.
                                            Only applicable when the method field is set to POST.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST). Defaults to GET.
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: |-
                                            Service is an API call to a JSON web service.
                                            This is used for non-Kubernetes API server calls.
                                            It's mutually exclusive with the URLPath field.
                                          properties:
                                            caBundle:
                                              description: |-
                                                CABundle is a PEM encoded CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: |-
                                                URL is the JSON web service URL. A typical form is
                                                `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: |-
                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                            The format required is the same format used by the `kubectl get --raw` command.
                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                            It's mutually exclusive with the Service field.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    globalReference:
                                      description: GlobalContextEntryReference is
                                        a reference to a cached global context entry.
                                      properties:
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        name:
                                          description: Name of the global context
                                            entry
                                          type: string
                                      type: object
                                    imageRegistry:
                                      description: |-
                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry.
                                              type: boolean
                                            providers:
                                              description: |-
                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                It can be of one of these values: default,google,azure,amazon,github.
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: |-
                                                Secrets specifies a list of secrets that are provided for credentials.
                                                Secrets must live in the Kyverno namespace.
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the ImageData struct returned as a result of processing
                                            the image reference.
                                          type: string
                                        reference:
                                          description: |-
                                            Reference is image reference to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: |-
                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                            expression evaluates to nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JMESPath Expression that can be used to
                                            transform the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              kind:
                                description: Kind specifies resource kind.
                                type: string
                              name:
                                description: Name specifies the resource name.
                                type: string
                              namespace:
                                description: Namespace specifies resource namespace.
                                type: string
                              preconditions:
                                description: |-
                                  Preconditions are used to determine if a policy rule should be applied by evaluating a
                                  set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
                                  of conditions (without `any` or `all` statements is supported for backwards compatibility but
                                  will be deprecated in the next major release.
                                  See: https://kyverno.io/docs/writing-policies/preconditions/
                                x-kubernetes-preserve-unknown-fields: true
                              uid:
                                description: UID specifies the resource uid.
                                type: string
                            type: object
                          type: array
                      type: object
                    name:
                      description: Name is a label to identify the rule, It must be
                        unique within the policy.
                      maxLength: 63
                      type: string
                    preconditions:
                      description: |-
                        Preconditions are used to determine if a policy rule should be applied by evaluating a
                        set of conditions. The declaration can contain nested `any` or `all` statements.
                        See: https://kyverno.io/docs/writing-policies/preconditions/
                      properties:
                        all:
                          description: |-
                            AllConditions enable variable-based conditional rule execution. This is useful for
                            finer control of when an rule is applied. A condition can reference object data
                            using JMESPath notation.
                            Here, all of the conditions need to pass.
                          items:
                            properties:
                              key:
                                description: Key is the context entry (using JMESPath)
                                  for conditional rule evaluation.
                                x-kubernetes-preserve-unknown-fields: true
                              message:
                                description: Message is an optional display message
                                type: string
                              operator:
                                description: |-
                                  Operator is the conditional operation to perform. Valid operators are:
                                  Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                  GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                  DurationLessThanOrEquals, DurationLessThan
                                enum:
                                - Equals
                                - NotEquals
                                - AnyIn
                                - AllIn
                                - AnyNotIn
                                - AllNotIn
                                - GreaterThanOrEquals
                                - GreaterThan
                                - LessThanOrEquals
                                - LessThan
                                - DurationGreaterThanOrEquals
                                - DurationGreaterThan
                                - DurationLessThanOrEquals
                                - DurationLessThan
                                type: string
                              value:
                                description: |-
                                  Value is the conditional value, or set of values. The values can be fixed set
                                  or can be variables declared using JMESPath.
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                        any:
                          description: |-
                            AnyConditions enable variable-based conditional rule execution. This is useful for
                            finer control of when an rule is applied. A condition can reference object data
                            using JMESPath notation.
                            Here, at least one of the conditions need to pass.
                          items:
                            properties:
                              key:
                                description: Key is the context entry (using JMESPath)
                                  for conditional rule evaluation.
                                x-kubernetes-preserve-unknown-fields: true
                              message:
                                description: Message is an optional display message
                                type: string
                              operator:
                                description: |-
                                  Operator is the conditional operation to perform. Valid operators are:
                                  Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                  GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                  DurationLessThanOrEquals, DurationLessThan
                                enum:
                                - Equals
                                - NotEquals
                                - AnyIn
                                - AllIn
                                - AnyNotIn
                                - AllNotIn
                                - GreaterThanOrEquals
                                - GreaterThan
                                - LessThanOrEquals
                                - LessThan
                                - DurationGreaterThanOrEquals
                                - DurationGreaterThan
                                - DurationLessThanOrEquals
                                - DurationLessThan
                                type: string
                              value:
                                description: |-
                                  Value is the conditional value, or set of values. The values can be fixed set
                                  or can be variables declared using JMESPath.
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                      type: object
                    skipBackgroundRequests:
                      default: true
                      description: |-
                        SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
                        The default value is set to "true", it must be set to "false" to apply
                        generate and mutateExisting rules to those requests.
                      type: boolean
                    validate:
                      description: Validation is used to validate matching resources.
                      properties:
                        anyPattern:
                          description: |-
                            AnyPattern specifies list of validation patterns. At least one of the patterns
                            must be satisfied for the validation rule to succeed.
                          x-kubernetes-preserve-unknown-fields: true
                        cel:
                          description: CEL allows validation checks using the Common
                            Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
                          properties:
                            auditAnnotations:
                              description: AuditAnnotations contains CEL expressions
                                which are used to produce audit annotations for the
                                audit event of the API request.
                              items:
                                description: AuditAnnotation describes how to produce
                                  an audit annotation for an API request.
                                properties:
                                  key:
                                    description: |-
                                      key specifies the audit annotation key. The audit annotation keys of
                                      a ValidatingAdmissionPolicy must be unique. The key must be a qualified
                                      name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.


                                      The key is combined with the resource name of the
                                      ValidatingAdmissionPolicy to construct an audit annotation key:
                                      "{ValidatingAdmissionPolicy name}/{key}".


                                      If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
                                      and the same audit annotation key, the annotation key will be identical.
                                      In this case, the first annotation written with the key will be included
                                      in the audit event and all subsequent annotations with the same key
                                      will be discarded.


                                      Required.
                                    type: string
                                  valueExpression:
                                    description: |-
                                      valueExpression represents the expression which is evaluated by CEL to
                                      produce an audit annotation value. The expression must evaluate to either
                                      a string or null value. If the expression evaluates to a string, the
                                      audit annotation is included with the string value. If the expression
                                      evaluates to null or empty string the audit annotation will be omitted.
                                      The valueExpression may be no longer than 5kb in length.
                                      If the result of the valueExpression is more than 10kb in length, it
                                      will be truncated to 10kb.


                                      If multiple ValidatingAdmissionPolicyBinding resources match an
                                      API request, then the valueExpression will be evaluated for
                                      each binding. All unique values produced by the valueExpressions
                                      will be joined together in a comma-separated list.


                                      Required.
                                    type: string
                                required:
                                - key
                                - valueExpression
                                type: object
                              type: array
                            expressions:
                              description: Expressions is a list of CELExpression
                                types.
                              items:
                                description: Validation specifies the CEL expression
                                  which is used to apply the validation.
                                properties:
                                  expression:
                                    description: "Expression represents the expression
                                      which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
                                      expressions have access to the contents of the
                                      API request/response, organized into CEL variables
                                      as well as some other useful variables:\n\n\n-
                                      'object' - The object from the incoming request.
                                      The value is null for DELETE requests.\n- 'oldObject'
                                      - The existing object. The value is null for
                                      CREATE requests.\n- 'request' - Attributes of
                                      the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
                                      'params' - Parameter resource referred to by
                                      the policy binding being evaluated. Only populated
                                      if the policy has a ParamKind.\n- 'namespaceObject'
                                      - The namespace object that the incoming object
                                      belongs to. The value is null for cluster-scoped
                                      resources.\n- 'variables' - Map of composited
                                      variables, from its name to its lazily evaluated
                                      value.\n  For example, a variable named 'foo'
                                      can be accessed as 'variables.foo'.\n- 'authorizer'
                                      - A CEL Authorizer. May be used to perform authorization
                                      checks for the principal (user or service account)
                                      of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
                                      'authorizer.requestResource' - A CEL ResourceCheck
                                      constructed from the 'authorizer' and configured
                                      with the\n  request resource.\n\n\nThe `apiVersion`,
                                      `kind`, `metadata.name` and `metadata.generateName`
                                      are always accessible from the root of the\nobject.
                                      No other metadata properties are accessible.\n\n\nOnly
                                      property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
                                      are accessible.\nAccessible property names are
                                      escaped according to the following rules when
                                      accessed in the expression:\n- '__' escapes
                                      to '__underscores__'\n- '.' escapes to '__dot__'\n-
                                      '-' escapes to '__dash__'\n- '/' escapes to
                                      '__slash__'\n- Property names that exactly match
                                      a CEL RESERVED keyword escape to '__{keyword}__'.
                                      The keywords are:\n\t  \"true\", \"false\",
                                      \"null\", \"in\", \"as\", \"break\", \"const\",
                                      \"continue\", \"else\", \"for\", \"function\",
                                      \"if\",\n\t  \"import\", \"let\", \"loop\",
                                      \"package\", \"namespace\", \"return\".\nExamples:\n
                                      \ - Expression accessing a property named \"namespace\":
                                      {\"Expression\": \"object.__namespace__ > 0\"}\n
                                      \ - Expression accessing a property named \"x-prop\":
                                      {\"Expression\": \"object.x__dash__prop > 0\"}\n
                                      \ - Expression accessing a property named \"redact__d\":
                                      {\"Expression\": \"object.redact__underscores__d
                                      > 0\"}\n\n\nEquality on arrays with list type
                                      of 'set' or 'map' ignores element order, i.e.
                                      [1, 2] == [2, 1].\nConcatenation on arrays with
                                      x-kubernetes-list-type use the semantics of
                                      the list type:\n  - 'set': `X + Y` performs
                                      a union where the array positions of all elements
                                      in `X` are preserved and\n    non-intersecting
                                      elements in `Y` are appended, retaining their
                                      partial order.\n  - 'map': `X + Y` performs
                                      a merge where the array positions of all keys
                                      in `X` are preserved but the values\n    are
                                      overwritten by values in `Y` when the key sets
                                      of `X` and `Y` intersect. Elements in `Y` with\n
                                      \   non-intersecting keys are appended, retaining
                                      their partial order.\nRequired."
                                    type: string
                                  message:
                                    description: |-
                                      Message represents the message displayed when validation fails. The message is required if the Expression contains
                                      line breaks. The message must not contain line breaks.
                                      If unset, the message is "failed rule: {Rule}".
                                      e.g. "must be a URL with the host matching spec.host"
                                      If the Expression contains line breaks. Message is required.
                                      The message must not contain line breaks.
                                      If unset, the message is "failed Expression: {Expression}".
                                    type: string
                                  messageExpression:
                                    description: |-
                                      messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
                                      Since messageExpression is used as a failure message, it must evaluate to a string.
                                      If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
                                      If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
                                      as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
                                      that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
                                      the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
                                      messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
                                      Example:
                                      "object.x must be less than max ("+string(params.max)+")"
                                    type: string
                                  reason:
                                    description: |-
                                      Reason represents a machine-readable description of why this validation failed.
                                      If this is the first validation in the list to fail, this reason, as well as the
                                      corresponding HTTP response code, are used in the
                                      HTTP response to the client.
                                      The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
                                      If not set, StatusReasonInvalid is used in the response to the client.
                                    type: string
                                required:
                                - expression
                                type: object
                              type: array
                            paramKind:
                              description: ParamKind is a tuple of Group Kind and
                                Version.
                              properties:
                                apiVersion:
                                  description: |-
                                    APIVersion is the API group version the resources belong to.
                                    In format of "group/version".
                                    Required.
                                  type: string
                                kind:
                                  description: |-
                                    Kind is the API kind the resources belong to.
                                    Required.
                                  type: string
                              type: object
                              x-kubernetes-map-type: atomic
                            paramRef:
                              description: ParamRef references a parameter resource.
                              properties:
                                name:
                                  description: |-
                                    `name` is the name of the resource being referenced.


                                    `name` and `selector` are mutually exclusive properties. If one is set,
                                    the other must be unset.
                                  type: string
                                namespace:
                                  description: |-
                                    namespace is the namespace of the referenced resource. Allows limiting
                                    the search for params to a specific namespace. Applies to both `name` and
                                    `selector` fields.


                                    A per-namespace parameter may be used by specifying a namespace-scoped
                                    `paramKind` in the policy and leaving this field empty.


                                    - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
                                    field results in a configuration error.


                                    - If `paramKind` is namespace-scoped, the namespace of the object being
                                    evaluated for admission will be used when this field is left unset. Take
                                    care that if this is left empty the binding must not match any cluster-scoped
                                    resources, which will result in an error.
                                  type: string
                                parameterNotFoundAction:
                                  description: |-
                                    `parameterNotFoundAction` controls the behavior of the binding when the resource
                                    exists, and name or selector is valid, but there are no parameters
                                    matched by the binding. If the value is set to `Allow`, then no
                                    matched parameters will be treated as successful validation by the binding.
                                    If set to `Deny`, then no matched parameters will be subject to the
                                    `failurePolicy` of the policy.


                                    Allowed values are `Allow` or `Deny`
                                    Default to `Deny`
                                  type: string
                                selector:
                                  description: |-
                                    selector can be used to match multiple param objects based on their labels.
                                    Supply selector: {} to match all resources of the ParamKind.


                                    If multiple params are found, they are all evaluated with the policy expressions
                                    and the results are ANDed together.


                                    One of `name` or `selector` must be set, but `name` and `selector` are
                                    mutually exclusive properties. If one is set, the other must be unset.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                              x-kubernetes-map-type: atomic
                            variables:
                              description: |-
                                Variables contain definitions of variables that can be used in composition of other expressions.
                                Each variable is defined as a named CEL expression.
                                The variables defined here will be available under `variables` in other expressions of the policy.
                              items:
                                description: Variable is the definition of a variable
                                  that is used for composition.
                                properties:
                                  expression:
                                    description: |-
                                      Expression is the expression that will be evaluated as the value of the variable.
                                      The CEL expression has access to the same identifiers as the CEL expressions in Validation.
                                    type: string
                                  name:
                                    description: |-
                                      Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
                                      The variable can be accessed in other expressions through `variables`
                                      For example, if name is "foo", the variable will be available as `variables.foo`
                                    type: string
                                required:
                                - expression
                                - name
                                type: object
                              type: array
                          type: object
                        deny:
                          description: Deny defines conditions used to pass or fail
                            a validation rule.
                          properties:
                            conditions:
                              description: |-
                                Multiple conditions can be declared under an `any` or `all` statement.
                                See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
                              properties:
                                all:
                                  description: |-
                                    AllConditions enable variable-based conditional rule execution. This is useful for
                                    finer control of when an rule is applied. A condition can reference object data
                                    using JMESPath notation.
                                    Here, all of the conditions need to pass.
                                  items:
                                    properties:
                                      key:
                                        description: Key is the context entry (using
                                          JMESPath) for conditional rule evaluation.
                                        x-kubernetes-preserve-unknown-fields: true
                                      message:
                                        description: Message is an optional display
                                          message
                                        type: string
                                      operator:
                                        description: |-
                                          Operator is the conditional operation to perform. Valid operators are:
                                          Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                          GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                          DurationLessThanOrEquals, DurationLessThan
                                        enum:
                                        - Equals
                                        - NotEquals
                                        - AnyIn
                                        - AllIn
                                        - AnyNotIn
                                        - AllNotIn
                                        - GreaterThanOrEquals
                                        - GreaterThan
                                        - LessThanOrEquals
                                        - LessThan
                                        - DurationGreaterThanOrEquals
                                        - DurationGreaterThan
                                        - DurationLessThanOrEquals
                                        - DurationLessThan
                                        type: string
                                      value:
                                        description: |-
                                          Value is the conditional value, or set of values. The values can be fixed set
                                          or can be variables declared using JMESPath.
                                        x-kubernetes-preserve-unknown-fields: true
                                    type: object
                                  type: array
                                any:
                                  description: |-
                                    AnyConditions enable variable-based conditional rule execution. This is useful for
                                    finer control of when an rule is applied. A condition can reference object data
                                    using JMESPath notation.
                                    Here, at least one of the conditions need to pass.
                                  items:
                                    properties:
                                      key:
                                        description: Key is the context entry (using
                                          JMESPath) for conditional rule evaluation.
                                        x-kubernetes-preserve-unknown-fields: true
                                      message:
                                        description: Message is an optional display
                                          message
                                        type: string
                                      operator:
                                        description: |-
                                          Operator is the conditional operation to perform. Valid operators are:
                                          Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                          GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                          DurationLessThanOrEquals, DurationLessThan
                                        enum:
                                        - Equals
                                        - NotEquals
                                        - AnyIn
                                        - AllIn
                                        - AnyNotIn
                                        - AllNotIn
                                        - GreaterThanOrEquals
                                        - GreaterThan
                                        - LessThanOrEquals
                                        - LessThan
                                        - DurationGreaterThanOrEquals
                                        - DurationGreaterThan
                                        - DurationLessThanOrEquals
                                        - DurationLessThan
                                        type: string
                                      value:
                                        description: |-
                                          Value is the conditional value, or set of values. The values can be fixed set
                                          or can be variables declared using JMESPath.
                                        x-kubernetes-preserve-unknown-fields: true
                                    type: object
                                  type: array
                              type: object
                          type: object
                        foreach:
                          description: ForEach applies validate rules to a list of
                            sub-elements by creating a context for each entry in the
                            list and looping over it to apply the specified logic.
                          items:
                            description: ForEachValidation applies validate rules
                              to a list of sub-elements by creating a context for
                              each entry in the list and looping over it to apply
                              the specified logic.
                            properties:
                              anyPattern:
                                description: |-
                                  AnyPattern specifies list of validation patterns. At least one of the patterns
                                  must be satisfied for the validation rule to succeed.
                                x-kubernetes-preserve-unknown-fields: true
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: |-
                                    ContextEntry adds variables and data sources to a rule Context. Either a
                                    ConfigMap reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: |-
                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context with the name for the context entry.
                                      properties:
                                        data:
                                          description: |-
                                            The data object specifies the POST data sent to the server.
                                            Only applicable when the method field is set to POST.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST). Defaults to GET.
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: |-
                                            Service is an API call to a JSON web service.
                                            This is used for non-Kubernetes API server calls.
                                            It's mutually exclusive with the URLPath field.
                                          properties:
                                            caBundle:
                                              description: |-
                                                CABundle is a PEM encoded CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: |-
                                                URL is the JSON web service URL. A typical form is
                                                `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: |-
                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                            The format required is the same format used by the `kubectl get --raw` command.
                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                            It's mutually exclusive with the Service field.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    globalReference:
                                      description: GlobalContextEntryReference is
                                        a reference to a cached global context entry.
                                      properties:
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the JSON response returned from the server. For example
                                            a JMESPath of "items | length(@)" applied to the API server response
                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
                                            of deployments across all namespaces.
                                          type: string
                                        name:
                                          description: Name of the global context
                                            entry
                                          type: string
                                      type: object
                                    imageRegistry:
                                      description: |-
                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry.
                                              type: boolean
                                            providers:
                                              description: |-
                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                It can be of one of these values: default,google,azure,amazon,github.
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: |-
                                                Secrets specifies a list of secrets that are provided for credentials.
                                                Secrets must live in the Kyverno namespace.
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JSON Match Expression that can be used to
                                            transform the ImageData struct returned as a result of processing
                                            the image reference.
                                          type: string
                                        reference:
                                          description: |-
                                            Reference is image reference to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: |-
                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                            expression evaluates to nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: |-
                                            JMESPath is an optional JMESPath Expression that can be used to
                                            transform the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              deny:
                                description: Deny defines conditions used to pass
                                  or fail a validation rule.
                                properties:
                                  conditions:
                                    description: |-
                                      Multiple conditions can be declared under an `any` or `all` statement. A direct list
                                      of conditions (without `any` or `all` statements) is also supported for backwards compatibility
                                      but will be deprecated in the next major release.
                                      See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              elementScope:
                                description: |-
                                  ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
                                  When set to "false", "request.object" is used as the validation scope within the foreach
                                  block to allow referencing other elements in the subtree.
                                type: boolean
                              foreach:
                                description: Foreach declares a nested foreach iterator
                                x-kubernetes-preserve-unknown-fields: true
                              list:
                                description: |-
                                  List specifies a JMESPath expression that results in one or more elements
                                  to which the validation logic is applied.
                                type: string
                              pattern:
                                description: Pattern specifies an overlay-style pattern
                                  used to check resources.
                                x-kubernetes-preserve-unknown-fields: true
                              preconditions:
                                description: |-
                                  AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
                                  set of conditions. The declaration can contain nested `any` or `all` statements.
                                  See: https://kyverno.io/docs/writing-policies/preconditions/
                                properties:
                                  all:
                                    description: |-
                                      AllConditions enable variable-based conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A condition can reference object data
                                      using JMESPath notation.
                                      Here, all of the conditions need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: |-
                                            Operator is the conditional operation to perform. Valid operators are:
                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: |-
                                            Value is the conditional value, or set of values. The values can be fixed set
                                            or can be variables declared using JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                  any:
                                    description: |-
                                      AnyConditions enable variable-based conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A condition can reference object data
                                      using JMESPath notation.
                                      Here, at least one of the conditions need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: |-
                                            Operator is the conditional operation to perform. Valid operators are:
                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: |-
                                            Value is the conditional value, or set of values. The values can be fixed set
                                            or can be variables declared using JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                type: object
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                        manifests:
                          description: Manifest specifies conditions for manifest
                            verification
                          properties:
                            annotationDomain:
                              description: AnnotationDomain is custom domain of annotation
                                for message and signature. Default is "cosign.sigstore.dev".
                              type: string
                            attestors:
                              description: Attestors specified the required attestors
                                (i.e. authorities)
                              items:
                                properties:
                                  count:
                                    description: |-
                                      Count specifies the required number of entries that must match. If the count is null, all entries must match
                                      (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                      value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                    minimum: 1
                                    type: integer
                                  entries:
                                    description: |-
                                      Entries contains the available attestors. An attestor can be a static key,
                                      attributes for keyless verification, or a nested attestor declaration.
                                    items:
                                      properties:
                                        annotations:
                                          additionalProperties:
                                            type: string
                                          description: |-
                                            Annotations are used for image verification.
                                            Every specified key-value pair must exist and match in the verified payload.
                                            The payload may contain other key-value pairs.
                                          type: object
                                        attestor:
                                          description: Attestor is a nested set of
                                            Attestor used to specify a more complex
                                            set of match authorities.
                                          x-kubernetes-preserve-unknown-fields: true
                                        certificates:
                                          description: Certificates specifies one
                                            or more certificates.
                                          properties:
                                            cert:
                                              description: Cert is an optional PEM-encoded
                                                public certificate.
                                              type: string
                                            certChain:
                                              description: CertChain is an optional
                                                PEM encoded set of certificates used
                                                to verify.
                                              type: string
                                            ctlog:
                                              description: |-
                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                              properties:
                                                ignoreSCT:
                                                  description: |-
                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                    timestamp. Default is false. Set to true if this was opted out during signing.
                                                  type: boolean
                                                pubkey:
                                                  description: PubKey, if set, is
                                                    used to validate SCTs against
                                                    a custom source.
                                                  type: string
                                                tsaCertChain:
                                                  description: |-
                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                    may contain the leaf TSA certificate if not present in the timestamurce.
                                                  type: string
                                              type: object
                                            rekor:
                                              description: |-
                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                              properties:
                                                ignoreTlog:
                                                  description: IgnoreTlog skips transparency
                                                    log verification.
                                                  type: boolean
                                                pubkey:
                                                  description: |-
                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public Rekor log instance
                                                    https://rekor.sigstore.dev.
                                                  type: string
                                              type: object
                                          type: object
                                        keyless:
                                          description: |-
                                            Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                            See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                          properties:
                                            additionalExtensions:
                                              additionalProperties:
                                                type: string
                                              description: AdditionalExtensions are
                                                certificate-extensions used for keyless
                                                signing.
                                              type: object
                                            ctlog:
                                              description: |-
                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                              properties:
                                                ignoreSCT:
                                                  description: |-
                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                    timestamp. Default is false. Set to true if this was opted out during signing.
                                                  type: boolean
                                                pubkey:
                                                  description: PubKey, if set, is
                                                    used to validate SCTs against
                                                    a custom source.
                                                  type: string
                                                tsaCertChain:
                                                  description: |-
                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                    may contain the leaf TSA certificate if not present in the timestamurce.
                                                  type: string
                                              type: object
                                            issuer:
                                              description: Issuer is the certificate
                                                issuer used for keyless signing.
                                              type: string
                                            rekor:
                                              description: |-
                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                              properties:
                                                ignoreTlog:
                                                  description: IgnoreTlog skips transparency
                                                    log verification.
                                                  type: boolean
                                                pubkey:
                                                  description: |-
                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public Rekor log instance
                                                    https://rekor.sigstore.dev.
                                                  type: string
                                              type: object
                                            roots:
                                              description: |-
                                                Roots is an optional set of PEM encoded trusted root certificates.
                                                If not provided, the system roots are used.
                                              type: string
                                            subject:
                                              description: Subject is the verified
                                                identity used for keyless signing,
                                                for example the email address.
                                              type: string
                                          type: object
                                        keys:
                                          description: Keys specifies one or more
                                            public keys.
                                          properties:
                                            ctlog:
                                              description: |-
                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                              properties:
                                                ignoreSCT:
                                                  description: |-
                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                    timestamp. Default is false. Set to true if this was opted out during signing.
                                                  type: boolean
                                                pubkey:
                                                  description: PubKey, if set, is
                                                    used to validate SCTs against
                                                    a custom source.
                                                  type: string
                                                tsaCertChain:
                                                  description: |-
                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                    may contain the leaf TSA certificate if not present in the timestamurce.
                                                  type: string
                                              type: object
                                            kms:
                                              description: |-
                                                KMS provides the URI to the public key stored in a Key Management System. See:
                                                https://github.com/sigstore/cosign/blob/main/KMS.md
                                              type: string
                                            publicKeys:
                                              description: |-
                                                Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                                specified or can be a variable reference to a key specified in a ConfigMap (see
                                                https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                                elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                The named Secret must specify a key `cosign.pub` containing the public key used for
                                                verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                When multiple keys are specified each key is processed as a separate staticKey entry
                                                (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                              type: string
                                            rekor:
                                              description: |-
                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                              properties:
                                                ignoreTlog:
                                                  description: IgnoreTlog skips transparency
                                                    log verification.
                                                  type: boolean
                                                pubkey:
                                                  description: |-
                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public Rekor log instance
                                                    https://rekor.sigstore.dev.
                                                  type: string
                                              type: object
                                            secret:
                                              description: Reference to a Secret resource
                                                that contains a public key
                                              properties:
                                                name:
                                                  description: Name of the secret.
                                                    The provided secret must contain
                                                    a key named cosign.pub.
                                                  type: string
                                                namespace:
                                                  description: Namespace name where
                                                    the Secret exists.
                                                  type: string
                                              required:
                                              - name
                                              - namespace
                                              type: object
                                            signatureAlgorithm:
                                              default: sha256
                                              description: Specify signature algorithm
                                                for public keys. Supported values
                                                are sha224, sha256, sha384 and sha512.
                                              type: string
                                          type: object
                                        repository:
                                          description: |-
                                            Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                            If specified Repository will override other OCI image repository locations for this Attestor.
                                          type: string
                                      type: object
                                    type: array
                                type: object
                              type: array
                            dryRun:
                              description: DryRun configuration
                              properties:
                                enable:
                                  type: boolean
                                namespace:
                                  type: string
                              type: object
                            ignoreFields:
                              description: Fields which will be ignored while comparing
                                manifests.
                              items:
                                properties:
                                  fields:
                                    items:
                                      type: string
                                    type: array
                                  objects:
                                    items:
                                      properties:
                                        group:
                                          type: string
                                        kind:
                                          type: string
                                        name:
                                          type: string
                                        namespace:
                                          type: string
                                        version:
                                          type: string
                                      type: object
                                    type: array
                                type: object
                              type: array
                            repository:
                              description: |-
                                Repository is an optional alternate OCI repository to use for resource bundle reference.
                                The repository can be overridden per Attestor or Attestation.
                              type: string
                          type: object
                        message:
                          description: Message specifies a custom message to be displayed
                            on failure.
                          type: string
                        pattern:
                          description: Pattern specifies an overlay-style pattern
                            used to check resources.
                          x-kubernetes-preserve-unknown-fields: true
                        podSecurity:
                          description: |-
                            PodSecurity applies exemptions for Kubernetes Pod Security admission
                            by specifying exclusions for Pod Security Standards controls.
                          properties:
                            exclude:
                              description: Exclude specifies the Pod Security Standard
                                controls to be excluded.
                              items:
                                description: PodSecurityStandard specifies the Pod
                                  Security Standard controls to be excluded.
                                properties:
                                  controlName:
                                    description: |-
                                      ControlName specifies the name of the Pod Security Standard control.
                                      See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
                                    enum:
                                    - HostProcess
                                    - Host Namespaces
                                    - Privileged Containers
                                    - Capabilities
                                    - HostPath Volumes
                                    - Host Ports
                                    - AppArmor
                                    - SELinux
                                    - /proc Mount Type
                                    - Seccomp
                                    - Sysctls
                                    - Volume Types
                                    - Privilege Escalation
                                    - Running as Non-root
                                    - Running as Non-root user
                                    type: string
                                  images:
                                    description: |-
                                      Images selects matching containers and applies the container level PSS.
                                      Each image is the image name consisting of the registry address, repository, image, and tag.
                                      Empty list matches no containers, PSS checks are applied at the pod level only.
                                      Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                                    items:
                                      type: string
                                    type: array
                                  restrictedField:
                                    description: |-
                                      RestrictedField selects the field for the given Pod Security Standard control.
                                      When not set, all restricted fields for the control are selected.
                                    type: string
                                  values:
                                    description: Values defines the allowed values
                                      that can be excluded.
                                    items:
                                      type: string
                                    type: array
                                required:
                                - controlName
                                type: object
                              type: array
                            level:
                              description: |-
                                Level defines the Pod Security Standard level to be applied to workloads.
                                Allowed values are privileged, baseline, and restricted.
                              enum:
                              - privileged
                              - baseline
                              - restricted
                              type: string
                            version:
                              description: |-
                                Version defines the Pod Security Standard versions that Kubernetes supports.
                                Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
                              enum:
                              - v1.19
                              - v1.20
                              - v1.21
                              - v1.22
                              - v1.23
                              - v1.24
                              - v1.25
                              - v1.26
                              - v1.27
                              - v1.28
                              - v1.29
                              - latest
                              type: string
                          type: object
                        validationFailureAction:
                          description: |-
                            ValidationFailureAction defines if a validation policy rule violation should block
                            the admission review request (enforce), or allow (audit) the admission review request
                            and report an error in a policy report. Optional.
                            Allowed values are audit or enforce.
                          enum:
                          - audit
                          - enforce
                          - Audit
                          - Enforce
                          type: string
                        validationFailureActionOverrides:
                          description: |-
                            ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
                            namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
                          items:
                            properties:
                              action:
                                description: ValidationFailureAction defines the policy
                                  validation failure action
                                enum:
                                - audit
                                - enforce
                                - Audit
                                - Enforce
                                type: string
                              namespaceSelector:
                                description: |-
                                  A label selector is a label query over a set of resources. The result of matchLabels and
                                  matchExpressions are ANDed. An empty label selector matches all objects. A null
                                  label selector matches no objects.
                                properties:
                                  matchExpressions:
                                    description: matchExpressions is a list of label
                                      selector requirements. The requirements are
                                      ANDed.
                                    items:
                                      description: |-
                                        A label selector requirement is a selector that contains values, a key, and an operator that
                                        relates the key and values.
                                      properties:
                                        key:
                                          description: key is the label key that the
                                            selector applies to.
                                          type: string
                                        operator:
                                          description: |-
                                            operator represents a key's relationship to a set of values.
                                            Valid operators are In, NotIn, Exists and DoesNotExist.
                                          type: string
                                        values:
                                          description: |-
                                            values is an array of string values. If the operator is In or NotIn,
                                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                            the values array must be empty. This array is replaced during a strategic
                                            merge patch.
                                          items:
                                            type: string
                                          type: array
                                          x-kubernetes-list-type: atomic
                                      required:
                                      - key
                                      - operator
                                      type: object
                                    type: array
                                    x-kubernetes-list-type: atomic
                                  matchLabels:
                                    additionalProperties:
                                      type: string
                                    description: |-
                                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                      map is equivalent to an element of matchExpressions, whose key field is "key", the
                                      operator is "In", and the values array contains only "value". The requirements are ANDed.
                                    type: object
                                type: object
                                x-kubernetes-map-type: atomic
                              namespaces:
                                items:
                                  type: string
                                type: array
                            type: object
                          type: array
                      type: object
                    verifyImages:
                      description: VerifyImages is used to verify image signatures
                        and mutate them to add a digest
                      items:
                        description: |-
                          ImageVerification validates that images that match the specified pattern
                          are signed with the supplied public key. Once the image is verified it is
                          mutated to include the SHA digest retrieved during the registration.
                        properties:
                          attestations:
                            description: |-
                              Attestations are optional checks for signed in-toto Statements used to verify the image.
                              See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
                              OCI registry and decodes them into a list of Statement declarations.
                            items:
                              description: |-
                                Attestation are checks for signed in-toto Statements that are used to verify the image.
                                See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
                                OCI registry and decodes them into a list of Statements.
                              properties:
                                attestors:
                                  description: Attestors specify the required attestors
                                    (i.e. authorities).
                                  items:
                                    properties:
                                      count:
                                        description: |-
                                          Count specifies the required number of entries that must match. If the count is null, all entries must match
                                          (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                          value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                        minimum: 1
                                        type: integer
                                      entries:
                                        description: |-
                                          Entries contains the available attestors. An attestor can be a static key,
                                          attributes for keyless verification, or a nested attestor declaration.
                                        items:
                                          properties:
                                            annotations:
                                              additionalProperties:
                                                type: string
                                              description: |-
                                                Annotations are used for image verification.
                                                Every specified key-value pair must exist and match in the verified payload.
                                                The payload may contain other key-value pairs.
                                              type: object
                                            attestor:
                                              description: Attestor is a nested set
                                                of Attestor used to specify a more
                                                complex set of match authorities.
                                              x-kubernetes-preserve-unknown-fields: true
                                            certificates:
                                              description: Certificates specifies
                                                one or more certificates.
                                              properties:
                                                cert:
                                                  description: Cert is an optional
                                                    PEM-encoded public certificate.
                                                  type: string
                                                certChain:
                                                  description: CertChain is an optional
                                                    PEM encoded set of certificates
                                                    used to verify.
                                                  type: string
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                              type: object
                                            keyless:
                                              description: |-
                                                Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                                See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                              properties:
                                                additionalExtensions:
                                                  additionalProperties:
                                                    type: string
                                                  description: AdditionalExtensions
                                                    are certificate-extensions used
                                                    for keyless signing.
                                                  type: object
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                issuer:
                                                  description: Issuer is the certificate
                                                    issuer used for keyless signing.
                                                  type: string
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                                roots:
                                                  description: |-
                                                    Roots is an optional set of PEM encoded trusted root certificates.
                                                    If not provided, the system roots are used.
                                                  type: string
                                                subject:
                                                  description: Subject is the verified
                                                    identity used for keyless signing,
                                                    for example the email address.
                                                  type: string
                                              type: object
                                            keys:
                                              description: Keys specifies one or more
                                                public keys.
                                              properties:
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                kms:
                                                  description: |-
                                                    KMS provides the URI to the public key stored in a Key Management System. See:
                                                    https://github.com/sigstore/cosign/blob/main/KMS.md
                                                  type: string
                                                publicKeys:
                                                  description: |-
                                                    Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                                    specified or can be a variable reference to a key specified in a ConfigMap (see
                                                    https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                                    elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                    The named Secret must specify a key `cosign.pub` containing the public key used for
                                                    verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                    When multiple keys are specified each key is processed as a separate staticKey entry
                                                    (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                                  type: string
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                                secret:
                                                  description: Reference to a Secret
                                                    resource that contains a public
                                                    key
                                                  properties:
                                                    name:
                                                      description: Name of the secret.
                                                        The provided secret must contain
                                                        a key named cosign.pub.
                                                      type: string
                                                    namespace:
                                                      description: Namespace name
                                                        where the Secret exists.
                                                      type: string
                                                  required:
                                                  - name
                                                  - namespace
                                                  type: object
                                                signatureAlgorithm:
                                                  default: sha256
                                                  description: Specify signature algorithm
                                                    for public keys. Supported values
                                                    are sha224, sha256, sha384 and
                                                    sha512.
                                                  type: string
                                              type: object
                                            repository:
                                              description: |-
                                                Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                                If specified Repository will override other OCI image repository locations for this Attestor.
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                conditions:
                                  description: |-
                                    Conditions are used to verify attributes within a Predicate. If no Conditions are specified
                                    the attestation check is satisfied as long there are predicates that match the predicate type.
                                  items:
                                    description: |-
                                      AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
                                      AnyConditions get fulfilled when at least one of its sub-conditions passes.
                                      AllConditions get fulfilled only when all of its sub-conditions pass.
                                    properties:
                                      all:
                                        description: |-
                                          AllConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, all of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: |-
                                          AnyConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, at least one of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                predicateType:
                                  description: Deprecated in favour of 'Type', to
                                    be removed soon
                                  type: string
                                type:
                                  description: Type defines the type of attestation
                                    contained within the Statement.
                                  type: string
                              type: object
                            type: array
                          attestors:
                            description: Attestors specified the required attestors
                              (i.e. authorities)
                            items:
                              properties:
                                count:
                                  description: |-
                                    Count specifies the required number of entries that must match. If the count is null, all entries must match
                                    (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                    value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                  minimum: 1
                                  type: integer
                                entries:
                                  description: |-
                                    Entries contains the available attestors. An attestor can be a static key,
                                    attributes for keyless verification, or a nested attestor declaration.
                                  items:
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          Annotations are used for image verification.
                                          Every specified key-value pair must exist and match in the verified payload.
                                          The payload may contain other key-value pairs.
                                        type: object
                                      attestor:
                                        description: Attestor is a nested set of Attestor
                                          used to specify a more complex set of match
                                          authorities.
                                        x-kubernetes-preserve-unknown-fields: true
                                      certificates:
                                        description: Certificates specifies one or
                                          more certificates.
                                        properties:
                                          cert:
                                            description: Cert is an optional PEM-encoded
                                              public certificate.
                                            type: string
                                          certChain:
                                            description: CertChain is an optional
                                              PEM encoded set of certificates used
                                              to verify.
                                            type: string
                                          ctlog:
                                            description: |-
                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                            properties:
                                              ignoreSCT:
                                                description: |-
                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                  timestamp. Default is false. Set to true if this was opted out during signing.
                                                type: boolean
                                              pubkey:
                                                description: PubKey, if set, is used
                                                  to validate SCTs against a custom
                                                  source.
                                                type: string
                                              tsaCertChain:
                                                description: |-
                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                  may contain the leaf TSA certificate if not present in the timestamurce.
                                                type: string
                                            type: object
                                          rekor:
                                            description: |-
                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                            properties:
                                              ignoreTlog:
                                                description: IgnoreTlog skips transparency
                                                  log verification.
                                                type: boolean
                                              pubkey:
                                                description: |-
                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public Rekor log instance https://rekor.sigstore.dev.
                                                type: string
                                            type: object
                                        type: object
                                      keyless:
                                        description: |-
                                          Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                          See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                        properties:
                                          additionalExtensions:
                                            additionalProperties:
                                              type: string
                                            description: AdditionalExtensions are
                                              certificate-extensions used for keyless
                                              signing.
                                            type: object
                                          ctlog:
                                            description: |-
                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                            properties:
                                              ignoreSCT:
                                                description: |-
                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                  timestamp. Default is false. Set to true if this was opted out during signing.
                                                type: boolean
                                              pubkey:
                                                description: PubKey, if set, is used
                                                  to validate SCTs against a custom
                                                  source.
                                                type: string
                                              tsaCertChain:
                                                description: |-
                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                  may contain the leaf TSA certificate if not present in the timestamurce.
                                                type: string
                                            type: object
                                          issuer:
                                            description: Issuer is the certificate
                                              issuer used for keyless signing.
                                            type: string
                                          rekor:
                                            description: |-
                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                            properties:
                                              ignoreTlog:
                                                description: IgnoreTlog skips transparency
                                                  log verification.
                                                type: boolean
                                              pubkey:
                                                description: |-
                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public Rekor log instance https://rekor.sigstore.dev.
                                                type: string
                                            type: object
                                          roots:
                                            description: |-
                                              Roots is an optional set of PEM encoded trusted root certificates.
                                              If not provided, the system roots are used.
                                            type: string
                                          subject:
                                            description: Subject is the verified identity
                                              used for keyless signing, for example
                                              the email address.
                                            type: string
                                        type: object
                                      keys:
                                        description: Keys specifies one or more public
                                          keys.
                                        properties:
                                          ctlog:
                                            description: |-
                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                            properties:
                                              ignoreSCT:
                                                description: |-
                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                  timestamp. Default is false. Set to true if this was opted out during signing.
                                                type: boolean
                                              pubkey:
                                                description: PubKey, if set, is used
                                                  to validate SCTs against a custom
                                                  source.
                                                type: string
                                              tsaCertChain:
                                                description: |-
                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                  may contain the leaf TSA certificate if not present in the timestamurce.
                                                type: string
                                            type: object
                                          kms:
                                            description: |-
                                              KMS provides the URI to the public key stored in a Key Management System. See:
                                              https://github.com/sigstore/cosign/blob/main/KMS.md
                                            type: string
                                          publicKeys:
                                            description: |-
                                              Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                              specified or can be a variable reference to a key specified in a ConfigMap (see
                                              https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                              elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                              The named Secret must specify a key `cosign.pub` containing the public key used for
                                              verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                              When multiple keys are specified each key is processed as a separate staticKey entry
                                              (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                            type: string
                                          rekor:
                                            description: |-
                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                            properties:
                                              ignoreTlog:
                                                description: IgnoreTlog skips transparency
                                                  log verification.
                                                type: boolean
                                              pubkey:
                                                description: |-
                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public Rekor log instance https://rekor.sigstore.dev.
                                                type: string
                                            type: object
                                          secret:
                                            description: Reference to a Secret resource
                                              that contains a public key
                                            properties:
                                              name:
                                                description: Name of the secret. The
                                                  provided secret must contain a key
                                                  named cosign.pub.
                                                type: string
                                              namespace:
                                                description: Namespace name where
                                                  the Secret exists.
                                                type: string
                                            required:
                                            - name
                                            - namespace
                                            type: object
                                          signatureAlgorithm:
                                            default: sha256
                                            description: Specify signature algorithm
                                              for public keys. Supported values are
                                              sha224, sha256, sha384 and sha512.
                                            type: string
                                        type: object
                                      repository:
                                        description: |-
                                          Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                          If specified Repository will override other OCI image repository locations for this Attestor.
                                        type: string
                                    type: object
                                  type: array
                              type: object
                            type: array
                          imageReferences:
                            description: |-
                              ImageReferences is a list of matching image reference patterns. At least one pattern in the
                              list must match the image for the rule to apply. Each image reference consists of a registry
                              address (defaults to docker.io), repository, image, and tag (defaults to latest).
                              Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                            items:
                              type: string
                            type: array
                          imageRegistryCredentials:
                            description: ImageRegistryCredentials provides credentials
                              that will be used for authentication with registry
                            properties:
                              allowInsecureRegistry:
                                description: AllowInsecureRegistry allows insecure
                                  access to a registry.
                                type: boolean
                              providers:
                                description: |-
                                  Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                  It can be of one of these values: default,google,azure,amazon,github.
                                items:
                                  description: ImageRegistryCredentialsProvidersType
                                    provides the list of credential providers required.
                                  enum:
                                  - default
                                  - amazon
                                  - azure
                                  - google
                                  - github
                                  type: string
                                type: array
                              secrets:
                                description: |-
                                  Secrets specifies a list of secrets that are provided for credentials.
                                  Secrets must live in the Kyverno namespace.
                                items:
                                  type: string
                                type: array
                            type: object
                          mutateDigest:
                            default: true
                            description: |-
                              MutateDigest enables replacement of image tags with digests.
                              Defaults to true.
                            type: boolean
                          repository:
                            description: |-
                              Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
                              If specified Repository will override the default OCI image repository configured for the installation.
                              The repository can also be overridden per Attestor or Attestation.
                            type: string
                          required:
                            default: true
                            description: Required validates that images are verified
                              i.e. have matched passed a signature or attestation
                              check.
                            type: boolean
                          skipImageReferences:
                            description: |-
                              SkipImageReferences is a list of matching image reference patterns that should be skipped.
                              At least one pattern in the list must match the image for the rule to be skipped. Each image reference
                              consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
                              Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                            items:
                              type: string
                            type: array
                          type:
                            description: |-
                              Type specifies the method of signature validation. The allowed options
                              are Cosign and Notary. By default Cosign is used if a type is not specified.
                            enum:
                            - Cosign
                            - Notary
                            type: string
                          useCache:
                            default: true
                            description: UseCache enables caching of image verify
                              responses for this rule
                            type: boolean
                          verifyDigest:
                            default: true
                            description: VerifyDigest validates that images have a
                              digest.
                            type: boolean
                        type: object
                      type: array
                  required:
                  - name
                  type: object
                type: array
              schemaValidation:
                description: Deprecated.
                type: boolean
              useServerSideApply:
                description: |-
                  UseServerSideApply controls whether to use server-side apply for generate rules
                  If is set to "true" create & update for generate rules will use apply instead of create/update.
                  Defaults to "false" if not specified.
                type: boolean
              validationFailureAction:
                default: Audit
                description: Deprecated, use validationFailureAction under the validate
                  rule instead.
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: Deprecated, use validationFailureActionOverrides under
                  the validate rule instead.
                items:
                  properties:
                    action:
                      description: ValidationFailureAction defines the policy validation
                        failure action
                      enum:
                      - audit
                      - enforce
                      - Audit
                      - Enforce
                      type: string
                    namespaceSelector:
                      description: |-
                        A label selector is a label query over a set of resources. The result of matchLabels and
                        matchExpressions are ANDed. An empty label selector matches all objects. A null
                        label selector matches no objects.
                      properties:
                        matchExpressions:
                          description: matchExpressions is a list of label selector
                            requirements. The requirements are ANDed.
                          items:
                            description: |-
                              A label selector requirement is a selector that contains values, a key, and an operator that
                              relates the key and values.
                            properties:
                              key:
                                description: key is the label key that the selector
                                  applies to.
                                type: string
                              operator:
                                description: |-
                                  operator represents a key's relationship to a set of values.
                                  Valid operators are In, NotIn, Exists and DoesNotExist.
                                type: string
                              values:
                                description: |-
                                  values is an array of string values. If the operator is In or NotIn,
                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                  the values array must be empty. This array is replaced during a strategic
                                  merge patch.
                                items:
                                  type: string
                                type: array
                                x-kubernetes-list-type: atomic
                            required:
                            - key
                            - operator
                            type: object
                          type: array
                          x-kubernetes-list-type: atomic
                        matchLabels:
                          additionalProperties:
                            type: string
                          description: |-
                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                            map is equivalent to an element of matchExpressions, whose key field is "key", the
                            operator is "In", and the values array contains only "value". The requirements are ANDed.
                          type: object
                      type: object
                      x-kubernetes-map-type: atomic
                    namespaces:
                      items:
                        type: string
                      type: array
                  type: object
                type: array
              webhookConfiguration:
                description: WebhookConfiguration specifies the custom configuration
                  for Kubernetes admission webhookconfiguration.
                properties:
                  failurePolicy:
                    description: |-
                      FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
                      Rules within the same policy share the same failure behavior.
                      This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
                      Allowed values are Ignore or Fail. Defaults to Fail.
                    enum:
                    - Ignore
                    - Fail
                    type: string
                  matchConditions:
                    description: |-
                      MatchCondition configures admission webhook matchConditions.
                      Requires Kubernetes 1.27 or later.
                    items:
                      description: MatchCondition represents a condition which must
                        by fulfilled for a request to be sent to a webhook.
                      properties:
                        expression:
                          description: |-
                            Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
                            CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:


                            'object' - The object from the incoming request. The value is null for DELETE requests.
                            'oldObject' - The existing object. The value is null for CREATE requests.
                            'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
                            'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
                              See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                            'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
                              request resource.
                            Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/


                            Required.
                          type: string
                        name:
                          description: |-
                            Name is an identifier for this match condition, used for strategic merging of MatchConditions,
                            as well as providing an identifier for logging purposes. A good name should be descriptive of
                            the associated expression.
                            Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
                            must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
                            '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
                            optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')


                            Required.
                          type: string
                      required:
                      - expression
                      - name
                      type: object
                    type: array
                  timeoutSeconds:
                    description: |-
                      TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
                      After the configured time expires, the admission request may fail, or may simply ignore the policy results,
                      based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
                    format: int32
                    type: integer
                type: object
              webhookTimeoutSeconds:
                description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
                  instead.
                format: int32
                type: integer
            type: object
          status:
            description: Status contains policy runtime data.
            properties:
              autogen:
                description: AutogenStatus contains autogen status information.
                properties:
                  rules:
                    description: Rules is a list of Rule instances. It contains auto
                      generated rules added for pod controllers
                    items:
                      description: |-
                        Rule defines a validation, mutation, or generation control for matching resources.
                        Each rules contains a match declaration to select resources, and an optional exclude
                        declaration to specify which resources to exclude.
                      properties:
                        celPreconditions:
                          description: |-
                            CELPreconditions are used to determine if a policy rule should be applied by evaluating a
                            set of CEL conditions. It can only be used with the validate.cel subrule
                          items:
                            description: MatchCondition represents a condition which
                              must by fulfilled for a request to be sent to a webhook.
                            properties:
                              expression:
                                description: |-
                                  Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
                                  CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:


                                  'object' - The object from the incoming request. The value is null for DELETE requests.
                                  'oldObject' - The existing object. The value is null for CREATE requests.
                                  'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
                                  'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
                                    See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                                  'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
                                    request resource.
                                  Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/


                                  Required.
                                type: string
                              name:
                                description: |-
                                  Name is an identifier for this match condition, used for strategic merging of MatchConditions,
                                  as well as providing an identifier for logging purposes. A good name should be descriptive of
                                  the associated expression.
                                  Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
                                  must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
                                  '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
                                  optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')


                                  Required.
                                type: string
                            required:
                            - expression
                            - name
                            type: object
                          type: array
                        context:
                          description: Context defines variables and data sources
                            that can be used during rule execution.
                          items:
                            description: |-
                              ContextEntry adds variables and data sources to a rule Context. Either a
                              ConfigMap reference or a APILookup must be provided.
                            properties:
                              apiCall:
                                description: |-
                                  APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                  The data returned is stored in the context with the name for the context entry.
                                properties:
                                  data:
                                    description: |-
                                      The data object specifies the POST data sent to the server.
                                      Only applicable when the method field is set to POST.
                                    items:
                                      description: RequestData contains the HTTP POST
                                        data
                                      properties:
                                        key:
                                          description: Key is a unique identifier
                                            for the data value
                                          type: string
                                        value:
                                          description: Value is the data value
                                          x-kubernetes-preserve-unknown-fields: true
                                      required:
                                      - key
                                      - value
                                      type: object
                                    type: array
                                  jmesPath:
                                    description: |-
                                      JMESPath is an optional JSON Match Expression that can be used to
                                      transform the JSON response returned from the server. For example
                                      a JMESPath of "items | length(@)" applied to the API server response
                                      for the URLPath "/apis/apps/v1/deployments" will return the total count
                                      of deployments across all namespaces.
                                    type: string
                                  method:
                                    default: GET
                                    description: Method is the HTTP request type (GET
                                      or POST). Defaults to GET.
                                    enum:
                                    - GET
                                    - POST
                                    type: string
                                  service:
                                    description: |-
                                      Service is an API call to a JSON web service.
                                      This is used for non-Kubernetes API server calls.
                                      It's mutually exclusive with the URLPath field.
                                    properties:
                                      caBundle:
                                        description: |-
                                          CABundle is a PEM encoded CA bundle which will be used to validate
                                          the server certificate.
                                        type: string
                                      url:
                                        description: |-
                                          URL is the JSON web service URL. A typical form is
                                          `https://{service}.{namespace}:{port}/{path}`.
                                        type: string
                                    required:
                                    - url
                                    type: object
                                  urlPath:
                                    description: |-
                                      URLPath is the URL path to be used in the HTTP GET or POST request to the
                                      Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                      The format required is the same format used by the `kubectl get --raw` command.
                                      See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                      for details.
                                      It's mutually exclusive with the Service field.
                                    type: string
                                type: object
                              configMap:
                                description: ConfigMap is the ConfigMap reference.
                                properties:
                                  name:
                                    description: Name is the ConfigMap name.
                                    type: string
                                  namespace:
                                    description: Namespace is the ConfigMap namespace.
                                    type: string
                                required:
                                - name
                                type: object
                              globalReference:
                                description: GlobalContextEntryReference is a reference
                                  to a cached global context entry.
                                properties:
                                  jmesPath:
                                    description: |-
                                      JMESPath is an optional JSON Match Expression that can be used to
                                      transform the JSON response returned from the server. For example
                                      a JMESPath of "items | length(@)" applied to the API server response
                                      for the URLPath "/apis/apps/v1/deployments" will return the total count
                                      of deployments across all namespaces.
                                    type: string
                                  name:
                                    description: Name of the global context entry
                                    type: string
                                type: object
                              imageRegistry:
                                description: |-
                                  ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                  details.
                                properties:
                                  imageRegistryCredentials:
                                    description: ImageRegistryCredentials provides
                                      credentials that will be used for authentication
                                      with registry
                                    properties:
                                      allowInsecureRegistry:
                                        description: AllowInsecureRegistry allows
                                          insecure access to a registry.
                                        type: boolean
                                      providers:
                                        description: |-
                                          Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                          It can be of one of these values: default,google,azure,amazon,github.
                                        items:
                                          description: ImageRegistryCredentialsProvidersType
                                            provides the list of credential providers
                                            required.
                                          enum:
                                          - default
                                          - amazon
                                          - azure
                                          - google
                                          - github
                                          type: string
                                        type: array
                                      secrets:
                                        description: |-
                                          Secrets specifies a list of secrets that are provided for credentials.
                                          Secrets must live in the Kyverno namespace.
                                        items:
                                          type: string
                                        type: array
                                    type: object
                                  jmesPath:
                                    description: |-
                                      JMESPath is an optional JSON Match Expression that can be used to
                                      transform the ImageData struct returned as a result of processing
                                      the image reference.
                                    type: string
                                  reference:
                                    description: |-
                                      Reference is image reference to a container image in the registry.
                                      Example: ghcr.io/kyverno/kyverno:latest
                                    type: string
                                required:
                                - reference
                                type: object
                              name:
                                description: Name is the variable name.
                                type: string
                              variable:
                                description: Variable defines an arbitrary JMESPath
                                  context variable that can be defined inline.
                                properties:
                                  default:
                                    description: |-
                                      Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                      expression evaluates to nil
                                    x-kubernetes-preserve-unknown-fields: true
                                  jmesPath:
                                    description: |-
                                      JMESPath is an optional JMESPath Expression that can be used to
                                      transform the variable.
                                    type: string
                                  value:
                                    description: Value is any arbitrary JSON object
                                      representable in YAML or JSON form.
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                            type: object
                          type: array
                        exclude:
                          description: |-
                            ExcludeResources defines when this policy rule should not be applied. The exclude
                            criteria can include resource information (e.g. kind, name, namespace, labels)
                            and admission review request information like the name or role.
                          properties:
                            all:
                              description: All allows specifying resources which will
                                be ANDed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                          and values support the wildcard characters "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: |-
                                          Name is the name of the resource. The name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                          NOTE: "Name" is being deprecated in favor of "Names".
                                        type: string
                                      names:
                                        description: |-
                                          Names are the names of the resources. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: |-
                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                          and `?` (matches one character).Wildcards allows writing label selectors like
                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                          does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: |-
                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: |-
                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                          characters `*` (matches zero or many characters) and `?` (matches one character).
                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: |-
                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                        or a value for non-objects such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: |-
                                            APIGroup holds the API group of the referenced subject.
                                            Defaults to "" for ServiceAccount subjects.
                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                          type: string
                                        kind:
                                          description: |-
                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: |-
                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                            the Authorizer should report an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            any:
                              description: Any allows specifying resources which will
                                be ORed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                          and values support the wildcard characters "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: |-
                                          Name is the name of the resource. The name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                          NOTE: "Name" is being deprecated in favor of "Names".
                                        type: string
                                      names:
                                        description: |-
                                          Names are the names of the resources. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: |-
                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                          and `?` (matches one character).Wildcards allows writing label selectors like
                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                          does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: |-
                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: |-
                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                          characters `*` (matches zero or many characters) and `?` (matches one character).
                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: |-
                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                        or a value for non-objects such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: |-
                                            APIGroup holds the API group of the referenced subject.
                                            Defaults to "" for ServiceAccount subjects.
                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                          type: string
                                        kind:
                                          description: |-
                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: |-
                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                            the Authorizer should report an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            clusterRoles:
                              description: ClusterRoles is the list of cluster-wide
                                role names for the user.
                              items:
                                type: string
                              type: array
                            resources:
                              description: |-
                                ResourceDescription contains information about the resource being created or modified.
                                Requires at least one tag to be specified when under MatchResources.
                                Specifying ResourceDescription directly under match is being deprecated.
                                Please specify under "any" or "all" instead.
                              properties:
                                annotations:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                    and values support the wildcard characters "*" (matches zero or many characters) and
                                    "?" (matches at least one character).
                                  type: object
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                name:
                                  description: |-
                                    Name is the name of the resource. The name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                    NOTE: "Name" is being deprecated in favor of "Names".
                                  type: string
                                names:
                                  description: |-
                                    Names are the names of the resources. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                  items:
                                    type: string
                                  type: array
                                namespaceSelector:
                                  description: |-
                                    NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                    in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                    and `?` (matches one character).Wildcards allows writing label selectors like
                                    ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                    does not match an empty label set.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                                namespaces:
                                  description: |-
                                    Namespaces is a list of namespaces names. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                  items:
                                    type: string
                                  type: array
                                operations:
                                  description: Operations can contain values ["CREATE,
                                    "UPDATE", "CONNECT", "DELETE"], which are used
                                    to match a specific action.
                                  items:
                                    description: AdmissionOperation can have one of
                                      the values CREATE, UPDATE, CONNECT, DELETE,
                                      which are used to match a specific action.
                                    enum:
                                    - CREATE
                                    - CONNECT
                                    - UPDATE
                                    - DELETE
                                    type: string
                                  type: array
                                selector:
                                  description: |-
                                    Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                    characters `*` (matches zero or many characters) and `?` (matches one character).
                                    Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                    using ["*" : "*"] matches any key and value but does not match an empty label set.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            roles:
                              description: Roles is the list of namespaced role names
                                for the user.
                              items:
                                type: string
                              type: array
                            subjects:
                              description: Subjects is the list of subject names like
                                users, user groups, and service accounts.
                              items:
                                description: |-
                                  Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                  or a value for non-objects such as user and group names.
                                properties:
                                  apiGroup:
                                    description: |-
                                      APIGroup holds the API group of the referenced subject.
                                      Defaults to "" for ServiceAccount subjects.
                                      Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                    type: string
                                  kind:
                                    description: |-
                                      Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                      If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                    type: string
                                  name:
                                    description: Name of the object being referenced.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                      the Authorizer should report an error.
                                    type: string
                                required:
                                - kind
                                - name
                                type: object
                                x-kubernetes-map-type: atomic
                              type: array
                          type: object
                        generate:
                          description: Generation is used to create new resources.
                          properties:
                            apiVersion:
                              description: APIVersion specifies resource apiVersion.
                              type: string
                            clone:
                              description: |-
                                Clone specifies the source resource used to populate each generated resource.
                                At most one of Data or Clone can be specified. If neither are provided, the generated
                                resource will be created with default data only.
                              properties:
                                name:
                                  description: Name specifies name of the resource.
                                  type: string
                                namespace:
                                  description: Namespace specifies source resource
                                    namespace.
                                  type: string
                              type: object
                            cloneList:
                              description: CloneList specifies the list of source
                                resource used to populate each generated resource.
                              properties:
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                namespace:
                                  description: Namespace specifies source resource
                                    namespace.
                                  type: string
                                selector:
                                  description: |-
                                    Selector is a label selector. Label keys and values in `matchLabels`.
                                    wildcard characters are not supported.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            data:
                              description: |-
                                Data provides the resource declaration used to populate each generated resource.
                                At most one of Data or Clone must be specified. If neither are provided, the generated
                                resource will be created with default data only.
                              x-kubernetes-preserve-unknown-fields: true
                            generateExisting:
                              description: |-
                                GenerateExisting controls whether to trigger the rule in existing resources
                                If is set to "true" the rule will be triggered and applied to existing matched resources.
                              type: boolean
                            kind:
                              description: Kind specifies resource kind.
                              type: string
                            name:
                              description: Name specifies the resource name.
                              type: string
                            namespace:
                              description: Namespace specifies resource namespace.
                              type: string
                            orphanDownstreamOnPolicyDelete:
                              description: |-
                                OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
                                them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
                                See https://kyverno.io/docs/writing-policies/generate/#data-examples.
                                Defaults to "false" if not specified.
                              type: boolean
                            synchronize:
                              description: |-
                                Synchronize controls if generated resources should be kept in-sync with their source resource.
                                If Synchronize is set to "true" changes to generated resources will be overwritten with resource
                                data from Data or the resource specified in the Clone declaration.
                                Optional. Defaults to "false" if not specified.
                              type: boolean
                            uid:
                              description: UID specifies the resource uid.
                              type: string
                          type: object
                        imageExtractors:
                          additionalProperties:
                            items:
                              properties:
                                jmesPath:
                                  description: |-
                                    JMESPath is an optional JMESPath expression to apply to the image value.
                                    This is useful when the extracted image begins with a prefix like 'docker://'.
                                    The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
                                    Note - Image digest mutation may not be used when applying a JMESPAth to an image.
                                  type: string
                                key:
                                  description: |-
                                    Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
                                    Note - this field MUST be unique.
                                  type: string
                                name:
                                  description: |-
                                    Name is the entry the image will be available under 'images.<name>' in the context.
                                    If this field is not defined, image entries will appear under 'images.custom'.
                                  type: string
                                path:
                                  description: |-
                                    Path is the path to the object containing the image field in a custom resource.
                                    It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
                                    Wildcard keys are expanded in case of arrays or objects.
                                  type: string
                                value:
                                  description: |-
                                    Value is an optional name of the field within 'path' that points to the image URI.
                                    This is useful when a custom 'key' is also defined.
                                  type: string
                              required:
                              - path
                              type: object
                            type: array
                          description: |-
                            ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
                            This config is only valid for verifyImages rules.
                          type: object
                        match:
                          description: |-
                            MatchResources defines when this policy rule should be applied. The match
                            criteria can include resource information (e.g. kind, name, namespace, labels)
                            and admission review request information like the user name or role.
                            At least one kind is required.
                          properties:
                            all:
                              description: All allows specifying resources which will
                                be ANDed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                          and values support the wildcard characters "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: |-
                                          Name is the name of the resource. The name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                          NOTE: "Name" is being deprecated in favor of "Names".
                                        type: string
                                      names:
                                        description: |-
                                          Names are the names of the resources. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: |-
                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                          and `?` (matches one character).Wildcards allows writing label selectors like
                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                          does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: |-
                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: |-
                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                          characters `*` (matches zero or many characters) and `?` (matches one character).
                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: |-
                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                        or a value for non-objects such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: |-
                                            APIGroup holds the API group of the referenced subject.
                                            Defaults to "" for ServiceAccount subjects.
                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                          type: string
                                        kind:
                                          description: |-
                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: |-
                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                            the Authorizer should report an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            any:
                              description: Any allows specifying resources which will
                                be ORed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                          and values support the wildcard characters "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: |-
                                          Name is the name of the resource. The name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                          NOTE: "Name" is being deprecated in favor of "Names".
                                        type: string
                                      names:
                                        description: |-
                                          Names are the names of the resources. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: |-
                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                          and `?` (matches one character).Wildcards allows writing label selectors like
                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                          does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: |-
                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: |-
                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                          characters `*` (matches zero or many characters) and `?` (matches one character).
                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: |-
                                                A label selector requirement is a selector that contains values, a key, and an operator that
                                                relates the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: |-
                                                    operator represents a key's relationship to a set of values.
                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: |-
                                                    values is an array of string values. If the operator is In or NotIn,
                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                    the values array must be empty. This array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                                  x-kubernetes-list-type: atomic
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                            x-kubernetes-list-type: atomic
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: |-
                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                        or a value for non-objects such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: |-
                                            APIGroup holds the API group of the referenced subject.
                                            Defaults to "" for ServiceAccount subjects.
                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                          type: string
                                        kind:
                                          description: |-
                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: |-
                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                            the Authorizer should report an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            clusterRoles:
                              description: ClusterRoles is the list of cluster-wide
                                role names for the user.
                              items:
                                type: string
                              type: array
                            resources:
                              description: |-
                                ResourceDescription contains information about the resource being created or modified.
                                Requires at least one tag to be specified when under MatchResources.
                                Specifying ResourceDescription directly under match is being deprecated.
                                Please specify under "any" or "all" instead.
                              properties:
                                annotations:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                    and values support the wildcard characters "*" (matches zero or many characters) and
                                    "?" (matches at least one character).
                                  type: object
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                name:
                                  description: |-
                                    Name is the name of the resource. The name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                    NOTE: "Name" is being deprecated in favor of "Names".
                                  type: string
                                names:
                                  description: |-
                                    Names are the names of the resources. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                  items:
                                    type: string
                                  type: array
                                namespaceSelector:
                                  description: |-
                                    NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                    in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                    and `?` (matches one character).Wildcards allows writing label selectors like
                                    ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                    does not match an empty label set.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                                namespaces:
                                  description: |-
                                    Namespaces is a list of namespaces names. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?" (at least one character).
                                  items:
                                    type: string
                                  type: array
                                operations:
                                  description: Operations can contain values ["CREATE,
                                    "UPDATE", "CONNECT", "DELETE"], which are used
                                    to match a specific action.
                                  items:
                                    description: AdmissionOperation can have one of
                                      the values CREATE, UPDATE, CONNECT, DELETE,
                                      which are used to match a specific action.
                                    enum:
                                    - CREATE
                                    - CONNECT
                                    - UPDATE
                                    - DELETE
                                    type: string
                                  type: array
                                selector:
                                  description: |-
                                    Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                    characters `*` (matches zero or many characters) and `?` (matches one character).
                                    Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                    using ["*" : "*"] matches any key and value but does not match an empty label set.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: |-
                                          A label selector requirement is a selector that contains values, a key, and an operator that
                                          relates the key and values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: |-
                                              operator represents a key's relationship to a set of values.
                                              Valid operators are In, NotIn, Exists and DoesNotExist.
                                            type: string
                                          values:
                                            description: |-
                                              values is an array of string values. If the operator is In or NotIn,
                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                            x-kubernetes-list-type: atomic
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                      x-kubernetes-list-type: atomic
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: |-
                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            roles:
                              description: Roles is the list of namespaced role names
                                for the user.
                              items:
                                type: string
                              type: array
                            subjects:
                              description: Subjects is the list of subject names like
                                users, user groups, and service accounts.
                              items:
                                description: |-
                                  Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                                  or a value for non-objects such as user and group names.
                                properties:
                                  apiGroup:
                                    description: |-
                                      APIGroup holds the API group of the referenced subject.
                                      Defaults to "" for ServiceAccount subjects.
                                      Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                    type: string
                                  kind:
                                    description: |-
                                      Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                      If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                    type: string
                                  name:
                                    description: Name of the object being referenced.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                      the Authorizer should report an error.
                                    type: string
                                required:
                                - kind
                                - name
                                type: object
                                x-kubernetes-map-type: atomic
                              type: array
                          type: object
                        mutate:
                          description: Mutation is used to modify matching resources.
                          properties:
                            foreach:
                              description: ForEach applies mutation rules to a list
                                of sub-elements by creating a context for each entry
                                in the list and looping over it to apply the specified
                                logic.
                              items:
                                description: ForEachMutation applies mutation rules
                                  to a list of sub-elements by creating a context
                                  for each entry in the list and looping over it to
                                  apply the specified logic.
                                properties:
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: |-
                                        ContextEntry adds variables and data sources to a rule Context. Either a
                                        ConfigMap reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: |-
                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                            The data returned is stored in the context with the name for the context entry.
                                          properties:
                                            data:
                                              description: |-
                                                The data object specifies the POST data sent to the server.
                                                Only applicable when the method field is set to POST.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST). Defaults to GET.
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: |-
                                                Service is an API call to a JSON web service.
                                                This is used for non-Kubernetes API server calls.
                                                It's mutually exclusive with the URLPath field.
                                              properties:
                                                caBundle:
                                                  description: |-
                                                    CABundle is a PEM encoded CA bundle which will be used to validate
                                                    the server certificate.
                                                  type: string
                                                url:
                                                  description: |-
                                                    URL is the JSON web service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: |-
                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                                It's mutually exclusive with the Service field.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        globalReference:
                                          description: GlobalContextEntryReference
                                            is a reference to a cached global context
                                            entry.
                                          properties:
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            name:
                                              description: Name of the global context
                                                entry
                                              type: string
                                          type: object
                                        imageRegistry:
                                          description: |-
                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                            details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry.
                                                  type: boolean
                                                providers:
                                                  description: |-
                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                    It can be of one of these values: default,google,azure,amazon,github.
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: |-
                                                    Secrets specifies a list of secrets that are provided for credentials.
                                                    Secrets must live in the Kyverno namespace.
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the ImageData struct returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: |-
                                                Reference is image reference to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: |-
                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                                expression evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JMESPath Expression that can be used to
                                                transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  foreach:
                                    description: Foreach declares a nested foreach
                                      iterator
                                    x-kubernetes-preserve-unknown-fields: true
                                  list:
                                    description: |-
                                      List specifies a JMESPath expression that results in one or more elements
                                      to which the validation logic is applied.
                                    type: string
                                  order:
                                    description: |-
                                      Order defines the iteration order on the list.
                                      Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
                                    enum:
                                    - Ascending
                                    - Descending
                                    type: string
                                  patchStrategicMerge:
                                    description: |-
                                      PatchStrategicMerge is a strategic merge patch used to modify resources.
                                      See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                                    x-kubernetes-preserve-unknown-fields: true
                                  patchesJson6902:
                                    description: |-
                                      PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
                                      See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                                    type: string
                                  preconditions:
                                    description: |-
                                      AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
                                      set of conditions. The declaration can contain nested `any` or `all` statements.
                                      See: https://kyverno.io/docs/writing-policies/preconditions/
                                    properties:
                                      all:
                                        description: |-
                                          AllConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, all of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: |-
                                          AnyConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, at least one of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              type: array
                            mutateExistingOnPolicyUpdate:
                              description: MutateExistingOnPolicyUpdate controls if
                                the mutateExisting rule will be applied on policy
                                events.
                              type: boolean
                            patchStrategicMerge:
                              description: |-
                                PatchStrategicMerge is a strategic merge patch used to modify resources.
                                See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                              x-kubernetes-preserve-unknown-fields: true
                            patchesJson6902:
                              description: |-
                                PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
                                See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                              type: string
                            targets:
                              description: Targets defines the target resources to
                                be mutated.
                              items:
                                description: TargetResourceSpec defines targets for
                                  mutating existing resources.
                                properties:
                                  apiVersion:
                                    description: APIVersion specifies resource apiVersion.
                                    type: string
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: |-
                                        ContextEntry adds variables and data sources to a rule Context. Either a
                                        ConfigMap reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: |-
                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                            The data returned is stored in the context with the name for the context entry.
                                          properties:
                                            data:
                                              description: |-
                                                The data object specifies the POST data sent to the server.
                                                Only applicable when the method field is set to POST.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST). Defaults to GET.
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: |-
                                                Service is an API call to a JSON web service.
                                                This is used for non-Kubernetes API server calls.
                                                It's mutually exclusive with the URLPath field.
                                              properties:
                                                caBundle:
                                                  description: |-
                                                    CABundle is a PEM encoded CA bundle which will be used to validate
                                                    the server certificate.
                                                  type: string
                                                url:
                                                  description: |-
                                                    URL is the JSON web service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: |-
                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                                It's mutually exclusive with the Service field.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        globalReference:
                                          description: GlobalContextEntryReference
                                            is a reference to a cached global context
                                            entry.
                                          properties:
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            name:
                                              description: Name of the global context
                                                entry
                                              type: string
                                          type: object
                                        imageRegistry:
                                          description: |-
                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                            details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry.
                                                  type: boolean
                                                providers:
                                                  description: |-
                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                    It can be of one of these values: default,google,azure,amazon,github.
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: |-
                                                    Secrets specifies a list of secrets that are provided for credentials.
                                                    Secrets must live in the Kyverno namespace.
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the ImageData struct returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: |-
                                                Reference is image reference to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: |-
                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                                expression evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JMESPath Expression that can be used to
                                                transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  kind:
                                    description: Kind specifies resource kind.
                                    type: string
                                  name:
                                    description: Name specifies the resource name.
                                    type: string
                                  namespace:
                                    description: Namespace specifies resource namespace.
                                    type: string
                                  preconditions:
                                    description: |-
                                      Preconditions are used to determine if a policy rule should be applied by evaluating a
                                      set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
                                      of conditions (without `any` or `all` statements is supported for backwards compatibility but
                                      will be deprecated in the next major release.
                                      See: https://kyverno.io/docs/writing-policies/preconditions/
                                    x-kubernetes-preserve-unknown-fields: true
                                  uid:
                                    description: UID specifies the resource uid.
                                    type: string
                                type: object
                              type: array
                          type: object
                        name:
                          description: Name is a label to identify the rule, It must
                            be unique within the policy.
                          maxLength: 63
                          type: string
                        preconditions:
                          description: |-
                            Preconditions are used to determine if a policy rule should be applied by evaluating a
                            set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
                            of conditions (without `any` or `all` statements is supported for backwards compatibility but
                            will be deprecated in the next major release.
                            See: https://kyverno.io/docs/writing-policies/preconditions/
                          x-kubernetes-preserve-unknown-fields: true
                        skipBackgroundRequests:
                          default: true
                          description: |-
                            SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
                            The default value is set to "true", it must be set to "false" to apply
                            generate and mutateExisting rules to those requests.
                          type: boolean
                        validate:
                          description: Validation is used to validate matching resources.
                          properties:
                            anyPattern:
                              description: |-
                                AnyPattern specifies list of validation patterns. At least one of the patterns
                                must be satisfied for the validation rule to succeed.
                              x-kubernetes-preserve-unknown-fields: true
                            cel:
                              description: CEL allows validation checks using the
                                Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
                              properties:
                                auditAnnotations:
                                  description: AuditAnnotations contains CEL expressions
                                    which are used to produce audit annotations for
                                    the audit event of the API request.
                                  items:
                                    description: AuditAnnotation describes how to
                                      produce an audit annotation for an API request.
                                    properties:
                                      key:
                                        description: |-
                                          key specifies the audit annotation key. The audit annotation keys of
                                          a ValidatingAdmissionPolicy must be unique. The key must be a qualified
                                          name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.


                                          The key is combined with the resource name of the
                                          ValidatingAdmissionPolicy to construct an audit annotation key:
                                          "{ValidatingAdmissionPolicy name}/{key}".


                                          If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
                                          and the same audit annotation key, the annotation key will be identical.
                                          In this case, the first annotation written with the key will be included
                                          in the audit event and all subsequent annotations with the same key
                                          will be discarded.


                                          Required.
                                        type: string
                                      valueExpression:
                                        description: |-
                                          valueExpression represents the expression which is evaluated by CEL to
                                          produce an audit annotation value. The expression must evaluate to either
                                          a string or null value. If the expression evaluates to a string, the
                                          audit annotation is included with the string value. If the expression
                                          evaluates to null or empty string the audit annotation will be omitted.
                                          The valueExpression may be no longer than 5kb in length.
                                          If the result of the valueExpression is more than 10kb in length, it
                                          will be truncated to 10kb.


                                          If multiple ValidatingAdmissionPolicyBinding resources match an
                                          API request, then the valueExpression will be evaluated for
                                          each binding. All unique values produced by the valueExpressions
                                          will be joined together in a comma-separated list.


                                          Required.
                                        type: string
                                    required:
                                    - key
                                    - valueExpression
                                    type: object
                                  type: array
                                expressions:
                                  description: Expressions is a list of CELExpression
                                    types.
                                  items:
                                    description: Validation specifies the CEL expression
                                      which is used to apply the validation.
                                    properties:
                                      expression:
                                        description: "Expression represents the expression
                                          which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
                                          expressions have access to the contents
                                          of the API request/response, organized into
                                          CEL variables as well as some other useful
                                          variables:\n\n\n- 'object' - The object
                                          from the incoming request. The value is
                                          null for DELETE requests.\n- 'oldObject'
                                          - The existing object. The value is null
                                          for CREATE requests.\n- 'request' - Attributes
                                          of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
                                          'params' - Parameter resource referred to
                                          by the policy binding being evaluated. Only
                                          populated if the policy has a ParamKind.\n-
                                          'namespaceObject' - The namespace object
                                          that the incoming object belongs to. The
                                          value is null for cluster-scoped resources.\n-
                                          'variables' - Map of composited variables,
                                          from its name to its lazily evaluated value.\n
                                          \ For example, a variable named 'foo' can
                                          be accessed as 'variables.foo'.\n- 'authorizer'
                                          - A CEL Authorizer. May be used to perform
                                          authorization checks for the principal (user
                                          or service account) of the request.\n  See
                                          https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
                                          'authorizer.requestResource' - A CEL ResourceCheck
                                          constructed from the 'authorizer' and configured
                                          with the\n  request resource.\n\n\nThe `apiVersion`,
                                          `kind`, `metadata.name` and `metadata.generateName`
                                          are always accessible from the root of the\nobject.
                                          No other metadata properties are accessible.\n\n\nOnly
                                          property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
                                          are accessible.\nAccessible property names
                                          are escaped according to the following rules
                                          when accessed in the expression:\n- '__'
                                          escapes to '__underscores__'\n- '.' escapes
                                          to '__dot__'\n- '-' escapes to '__dash__'\n-
                                          '/' escapes to '__slash__'\n- Property names
                                          that exactly match a CEL RESERVED keyword
                                          escape to '__{keyword}__'. The keywords
                                          are:\n\t  \"true\", \"false\", \"null\",
                                          \"in\", \"as\", \"break\", \"const\", \"continue\",
                                          \"else\", \"for\", \"function\", \"if\",\n\t
                                          \ \"import\", \"let\", \"loop\", \"package\",
                                          \"namespace\", \"return\".\nExamples:\n
                                          \ - Expression accessing a property named
                                          \"namespace\": {\"Expression\": \"object.__namespace__
                                          > 0\"}\n  - Expression accessing a property
                                          named \"x-prop\": {\"Expression\": \"object.x__dash__prop
                                          > 0\"}\n  - Expression accessing a property
                                          named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
                                          > 0\"}\n\n\nEquality on arrays with list
                                          type of 'set' or 'map' ignores element order,
                                          i.e. [1, 2] == [2, 1].\nConcatenation on
                                          arrays with x-kubernetes-list-type use the
                                          semantics of the list type:\n  - 'set':
                                          `X + Y` performs a union where the array
                                          positions of all elements in `X` are preserved
                                          and\n    non-intersecting elements in `Y`
                                          are appended, retaining their partial order.\n
                                          \ - 'map': `X + Y` performs a merge where
                                          the array positions of all keys in `X` are
                                          preserved but the values\n    are overwritten
                                          by values in `Y` when the key sets of `X`
                                          and `Y` intersect. Elements in `Y` with\n
                                          \   non-intersecting keys are appended,
                                          retaining their partial order.\nRequired."
                                        type: string
                                      message:
                                        description: |-
                                          Message represents the message displayed when validation fails. The message is required if the Expression contains
                                          line breaks. The message must not contain line breaks.
                                          If unset, the message is "failed rule: {Rule}".
                                          e.g. "must be a URL with the host matching spec.host"
                                          If the Expression contains line breaks. Message is required.
                                          The message must not contain line breaks.
                                          If unset, the message is "failed Expression: {Expression}".
                                        type: string
                                      messageExpression:
                                        description: |-
                                          messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
                                          Since messageExpression is used as a failure message, it must evaluate to a string.
                                          If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
                                          If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
                                          as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
                                          that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
                                          the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
                                          messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
                                          Example:
                                          "object.x must be less than max ("+string(params.max)+")"
                                        type: string
                                      reason:
                                        description: |-
                                          Reason represents a machine-readable description of why this validation failed.
                                          If this is the first validation in the list to fail, this reason, as well as the
                                          corresponding HTTP response code, are used in the
                                          HTTP response to the client.
                                          The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
                                          If not set, StatusReasonInvalid is used in the response to the client.
                                        type: string
                                    required:
                                    - expression
                                    type: object
                                  type: array
                                paramKind:
                                  description: ParamKind is a tuple of Group Kind
                                    and Version.
                                  properties:
                                    apiVersion:
                                      description: |-
                                        APIVersion is the API group version the resources belong to.
                                        In format of "group/version".
                                        Required.
                                      type: string
                                    kind:
                                      description: |-
                                        Kind is the API kind the resources belong to.
                                        Required.
                                      type: string
                                  type: object
                                  x-kubernetes-map-type: atomic
                                paramRef:
                                  description: ParamRef references a parameter resource.
                                  properties:
                                    name:
                                      description: |-
                                        `name` is the name of the resource being referenced.


                                        `name` and `selector` are mutually exclusive properties. If one is set,
                                        the other must be unset.
                                      type: string
                                    namespace:
                                      description: |-
                                        namespace is the namespace of the referenced resource. Allows limiting
                                        the search for params to a specific namespace. Applies to both `name` and
                                        `selector` fields.


                                        A per-namespace parameter may be used by specifying a namespace-scoped
                                        `paramKind` in the policy and leaving this field empty.


                                        - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
                                        field results in a configuration error.


                                        - If `paramKind` is namespace-scoped, the namespace of the object being
                                        evaluated for admission will be used when this field is left unset. Take
                                        care that if this is left empty the binding must not match any cluster-scoped
                                        resources, which will result in an error.
                                      type: string
                                    parameterNotFoundAction:
                                      description: |-
                                        `parameterNotFoundAction` controls the behavior of the binding when the resource
                                        exists, and name or selector is valid, but there are no parameters
                                        matched by the binding. If the value is set to `Allow`, then no
                                        matched parameters will be treated as successful validation by the binding.
                                        If set to `Deny`, then no matched parameters will be subject to the
                                        `failurePolicy` of the policy.


                                        Allowed values are `Allow` or `Deny`
                                        Default to `Deny`
                                      type: string
                                    selector:
                                      description: |-
                                        selector can be used to match multiple param objects based on their labels.
                                        Supply selector: {} to match all resources of the ParamKind.


                                        If multiple params are found, they are all evaluated with the policy expressions
                                        and the results are ANDed together.


                                        One of `name` or `selector` must be set, but `name` and `selector` are
                                        mutually exclusive properties. If one is set, the other must be unset.
                                      properties:
                                        matchExpressions:
                                          description: matchExpressions is a list
                                            of label selector requirements. The requirements
                                            are ANDed.
                                          items:
                                            description: |-
                                              A label selector requirement is a selector that contains values, a key, and an operator that
                                              relates the key and values.
                                            properties:
                                              key:
                                                description: key is the label key
                                                  that the selector applies to.
                                                type: string
                                              operator:
                                                description: |-
                                                  operator represents a key's relationship to a set of values.
                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
                                                type: string
                                              values:
                                                description: |-
                                                  values is an array of string values. If the operator is In or NotIn,
                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                  the values array must be empty. This array is replaced during a strategic
                                                  merge patch.
                                                items:
                                                  type: string
                                                type: array
                                                x-kubernetes-list-type: atomic
                                            required:
                                            - key
                                            - operator
                                            type: object
                                          type: array
                                          x-kubernetes-list-type: atomic
                                        matchLabels:
                                          additionalProperties:
                                            type: string
                                          description: |-
                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
                                          type: object
                                      type: object
                                      x-kubernetes-map-type: atomic
                                  type: object
                                  x-kubernetes-map-type: atomic
                                variables:
                                  description: |-
                                    Variables contain definitions of variables that can be used in composition of other expressions.
                                    Each variable is defined as a named CEL expression.
                                    The variables defined here will be available under `variables` in other expressions of the policy.
                                  items:
                                    description: Variable is the definition of a variable
                                      that is used for composition.
                                    properties:
                                      expression:
                                        description: |-
                                          Expression is the expression that will be evaluated as the value of the variable.
                                          The CEL expression has access to the same identifiers as the CEL expressions in Validation.
                                        type: string
                                      name:
                                        description: |-
                                          Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
                                          The variable can be accessed in other expressions through `variables`
                                          For example, if name is "foo", the variable will be available as `variables.foo`
                                        type: string
                                    required:
                                    - expression
                                    - name
                                    type: object
                                  type: array
                              type: object
                            deny:
                              description: Deny defines conditions used to pass or
                                fail a validation rule.
                              properties:
                                conditions:
                                  description: |-
                                    Multiple conditions can be declared under an `any` or `all` statement. A direct list
                                    of conditions (without `any` or `all` statements) is also supported for backwards compatibility
                                    but will be deprecated in the next major release.
                                    See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
                                  x-kubernetes-preserve-unknown-fields: true
                              type: object
                            foreach:
                              description: ForEach applies validate rules to a list
                                of sub-elements by creating a context for each entry
                                in the list and looping over it to apply the specified
                                logic.
                              items:
                                description: ForEachValidation applies validate rules
                                  to a list of sub-elements by creating a context
                                  for each entry in the list and looping over it to
                                  apply the specified logic.
                                properties:
                                  anyPattern:
                                    description: |-
                                      AnyPattern specifies list of validation patterns. At least one of the patterns
                                      must be satisfied for the validation rule to succeed.
                                    x-kubernetes-preserve-unknown-fields: true
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: |-
                                        ContextEntry adds variables and data sources to a rule Context. Either a
                                        ConfigMap reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: |-
                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
                                            The data returned is stored in the context with the name for the context entry.
                                          properties:
                                            data:
                                              description: |-
                                                The data object specifies the POST data sent to the server.
                                                Only applicable when the method field is set to POST.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST). Defaults to GET.
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: |-
                                                Service is an API call to a JSON web service.
                                                This is used for non-Kubernetes API server calls.
                                                It's mutually exclusive with the URLPath field.
                                              properties:
                                                caBundle:
                                                  description: |-
                                                    CABundle is a PEM encoded CA bundle which will be used to validate
                                                    the server certificate.
                                                  type: string
                                                url:
                                                  description: |-
                                                    URL is the JSON web service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: |-
                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                                It's mutually exclusive with the Service field.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        globalReference:
                                          description: GlobalContextEntryReference
                                            is a reference to a cached global context
                                            entry.
                                          properties:
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the JSON response returned from the server. For example
                                                a JMESPath of "items | length(@)" applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
                                                of deployments across all namespaces.
                                              type: string
                                            name:
                                              description: Name of the global context
                                                entry
                                              type: string
                                          type: object
                                        imageRegistry:
                                          description: |-
                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
                                            details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry.
                                                  type: boolean
                                                providers:
                                                  description: |-
                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                                    It can be of one of these values: default,google,azure,amazon,github.
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: |-
                                                    Secrets specifies a list of secrets that are provided for credentials.
                                                    Secrets must live in the Kyverno namespace.
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JSON Match Expression that can be used to
                                                transform the ImageData struct returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: |-
                                                Reference is image reference to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: |-
                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
                                                expression evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: |-
                                                JMESPath is an optional JMESPath Expression that can be used to
                                                transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  deny:
                                    description: Deny defines conditions used to pass
                                      or fail a validation rule.
                                    properties:
                                      conditions:
                                        description: |-
                                          Multiple conditions can be declared under an `any` or `all` statement. A direct list
                                          of conditions (without `any` or `all` statements) is also supported for backwards compatibility
                                          but will be deprecated in the next major release.
                                          See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
                                        x-kubernetes-preserve-unknown-fields: true
                                    type: object
                                  elementScope:
                                    description: |-
                                      ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
                                      When set to "false", "request.object" is used as the validation scope within the foreach
                                      block to allow referencing other elements in the subtree.
                                    type: boolean
                                  foreach:
                                    description: Foreach declares a nested foreach
                                      iterator
                                    x-kubernetes-preserve-unknown-fields: true
                                  list:
                                    description: |-
                                      List specifies a JMESPath expression that results in one or more elements
                                      to which the validation logic is applied.
                                    type: string
                                  pattern:
                                    description: Pattern specifies an overlay-style
                                      pattern used to check resources.
                                    x-kubernetes-preserve-unknown-fields: true
                                  preconditions:
                                    description: |-
                                      AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
                                      set of conditions. The declaration can contain nested `any` or `all` statements.
                                      See: https://kyverno.io/docs/writing-policies/preconditions/
                                    properties:
                                      all:
                                        description: |-
                                          AllConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, all of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: |-
                                          AnyConditions enable variable-based conditional rule execution. This is useful for
                                          finer control of when an rule is applied. A condition can reference object data
                                          using JMESPath notation.
                                          Here, at least one of the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: |-
                                                Operator is the conditional operation to perform. Valid operators are:
                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                DurationLessThanOrEquals, DurationLessThan
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: |-
                                                Value is the conditional value, or set of values. The values can be fixed set
                                                or can be variables declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              type: array
                            manifests:
                              description: Manifest specifies conditions for manifest
                                verification
                              properties:
                                annotationDomain:
                                  description: AnnotationDomain is custom domain of
                                    annotation for message and signature. Default
                                    is "cosign.sigstore.dev".
                                  type: string
                                attestors:
                                  description: Attestors specified the required attestors
                                    (i.e. authorities)
                                  items:
                                    properties:
                                      count:
                                        description: |-
                                          Count specifies the required number of entries that must match. If the count is null, all entries must match
                                          (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                          value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                        minimum: 1
                                        type: integer
                                      entries:
                                        description: |-
                                          Entries contains the available attestors. An attestor can be a static key,
                                          attributes for keyless verification, or a nested attestor declaration.
                                        items:
                                          properties:
                                            annotations:
                                              additionalProperties:
                                                type: string
                                              description: |-
                                                Annotations are used for image verification.
                                                Every specified key-value pair must exist and match in the verified payload.
                                                The payload may contain other key-value pairs.
                                              type: object
                                            attestor:
                                              description: Attestor is a nested set
                                                of Attestor used to specify a more
                                                complex set of match authorities.
                                              x-kubernetes-preserve-unknown-fields: true
                                            certificates:
                                              description: Certificates specifies
                                                one or more certificates.
                                              properties:
                                                cert:
                                                  description: Cert is an optional
                                                    PEM-encoded public certificate.
                                                  type: string
                                                certChain:
                                                  description: CertChain is an optional
                                                    PEM encoded set of certificates
                                                    used to verify.
                                                  type: string
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                              type: object
                                            keyless:
                                              description: |-
                                                Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                                See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                              properties:
                                                additionalExtensions:
                                                  additionalProperties:
                                                    type: string
                                                  description: AdditionalExtensions
                                                    are certificate-extensions used
                                                    for keyless signing.
                                                  type: object
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                issuer:
                                                  description: Issuer is the certificate
                                                    issuer used for keyless signing.
                                                  type: string
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                                roots:
                                                  description: |-
                                                    Roots is an optional set of PEM encoded trusted root certificates.
                                                    If not provided, the system roots are used.
                                                  type: string
                                                subject:
                                                  description: Subject is the verified
                                                    identity used for keyless signing,
                                                    for example the email address.
                                                  type: string
                                              type: object
                                            keys:
                                              description: Keys specifies one or more
                                                public keys.
                                              properties:
                                                ctlog:
                                                  description: |-
                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: |-
                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                        timestamp. Default is false. Set to true if this was opted out during signing.
                                                      type: boolean
                                                    pubkey:
                                                      description: PubKey, if set,
                                                        is used to validate SCTs against
                                                        a custom source.
                                                      type: string
                                                    tsaCertChain:
                                                      description: |-
                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                        may contain the leaf TSA certificate if not present in the timestamurce.
                                                      type: string
                                                  type: object
                                                kms:
                                                  description: |-
                                                    KMS provides the URI to the public key stored in a Key Management System. See:
                                                    https://github.com/sigstore/cosign/blob/main/KMS.md
                                                  type: string
                                                publicKeys:
                                                  description: |-
                                                    Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                                    specified or can be a variable reference to a key specified in a ConfigMap (see
                                                    https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                                    elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                    The named Secret must specify a key `cosign.pub` containing the public key used for
                                                    verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                    When multiple keys are specified each key is processed as a separate staticKey entry
                                                    (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                                  type: string
                                                rekor:
                                                  description: |-
                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                  properties:
                                                    ignoreTlog:
                                                      description: IgnoreTlog skips
                                                        transparency log verification.
                                                      type: boolean
                                                    pubkey:
                                                      description: |-
                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public Rekor log instance
                                                        https://rekor.sigstore.dev.
                                                      type: string
                                                  type: object
                                                secret:
                                                  description: Reference to a Secret
                                                    resource that contains a public
                                                    key
                                                  properties:
                                                    name:
                                                      description: Name of the secret.
                                                        The provided secret must contain
                                                        a key named cosign.pub.
                                                      type: string
                                                    namespace:
                                                      description: Namespace name
                                                        where the Secret exists.
                                                      type: string
                                                  required:
                                                  - name
                                                  - namespace
                                                  type: object
                                                signatureAlgorithm:
                                                  default: sha256
                                                  description: Specify signature algorithm
                                                    for public keys. Supported values
                                                    are sha224, sha256, sha384 and
                                                    sha512.
                                                  type: string
                                              type: object
                                            repository:
                                              description: |-
                                                Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                                If specified Repository will override other OCI image repository locations for this Attestor.
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                dryRun:
                                  description: DryRun configuration
                                  properties:
                                    enable:
                                      type: boolean
                                    namespace:
                                      type: string
                                  type: object
                                ignoreFields:
                                  description: Fields which will be ignored while
                                    comparing manifests.
                                  items:
                                    properties:
                                      fields:
                                        items:
                                          type: string
                                        type: array
                                      objects:
                                        items:
                                          properties:
                                            group:
                                              type: string
                                            kind:
                                              type: string
                                            name:
                                              type: string
                                            namespace:
                                              type: string
                                            version:
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                repository:
                                  description: |-
                                    Repository is an optional alternate OCI repository to use for resource bundle reference.
                                    The repository can be overridden per Attestor or Attestation.
                                  type: string
                              type: object
                            message:
                              description: Message specifies a custom message to be
                                displayed on failure.
                              type: string
                            pattern:
                              description: Pattern specifies an overlay-style pattern
                                used to check resources.
                              x-kubernetes-preserve-unknown-fields: true
                            podSecurity:
                              description: |-
                                PodSecurity applies exemptions for Kubernetes Pod Security admission
                                by specifying exclusions for Pod Security Standards controls.
                              properties:
                                exclude:
                                  description: Exclude specifies the Pod Security
                                    Standard controls to be excluded.
                                  items:
                                    description: PodSecurityStandard specifies the
                                      Pod Security Standard controls to be excluded.
                                    properties:
                                      controlName:
                                        description: |-
                                          ControlName specifies the name of the Pod Security Standard control.
                                          See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
                                        enum:
                                        - HostProcess
                                        - Host Namespaces
                                        - Privileged Containers
                                        - Capabilities
                                        - HostPath Volumes
                                        - Host Ports
                                        - AppArmor
                                        - SELinux
                                        - /proc Mount Type
                                        - Seccomp
                                        - Sysctls
                                        - Volume Types
                                        - Privilege Escalation
                                        - Running as Non-root
                                        - Running as Non-root user
                                        type: string
                                      images:
                                        description: |-
                                          Images selects matching containers and applies the container level PSS.
                                          Each image is the image name consisting of the registry address, repository, image, and tag.
                                          Empty list matches no containers, PSS checks are applied at the pod level only.
                                          Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                                        items:
                                          type: string
                                        type: array
                                      restrictedField:
                                        description: |-
                                          RestrictedField selects the field for the given Pod Security Standard control.
                                          When not set, all restricted fields for the control are selected.
                                        type: string
                                      values:
                                        description: Values defines the allowed values
                                          that can be excluded.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - controlName
                                    type: object
                                  type: array
                                level:
                                  description: |-
                                    Level defines the Pod Security Standard level to be applied to workloads.
                                    Allowed values are privileged, baseline, and restricted.
                                  enum:
                                  - privileged
                                  - baseline
                                  - restricted
                                  type: string
                                version:
                                  description: |-
                                    Version defines the Pod Security Standard versions that Kubernetes supports.
                                    Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
                                  enum:
                                  - v1.19
                                  - v1.20
                                  - v1.21
                                  - v1.22
                                  - v1.23
                                  - v1.24
                                  - v1.25
                                  - v1.26
                                  - v1.27
                                  - v1.28
                                  - v1.29
                                  - latest
                                  type: string
                              type: object
                            validationFailureAction:
                              description: |-
                                ValidationFailureAction defines if a validation policy rule violation should block
                                the admission review request (enforce), or allow (audit) the admission review request
                                and report an error in a policy report. Optional.
                                Allowed values are audit or enforce.
                              enum:
                              - audit
                              - enforce
                              - Audit
                              - Enforce
                              type: string
                            validationFailureActionOverrides:
                              description: |-
                                ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
                                namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
                              items:
                                properties:
                                  action:
                                    description: ValidationFailureAction defines the
                                      policy validation failure action
                                    enum:
                                    - audit
                                    - enforce
                                    - Audit
                                    - Enforce
                                    type: string
                                  namespaceSelector:
                                    description: |-
                                      A label selector is a label query over a set of resources. The result of matchLabels and
                                      matchExpressions are ANDed. An empty label selector matches all objects. A null
                                      label selector matches no objects.
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: |-
                                            A label selector requirement is a selector that contains values, a key, and an operator that
                                            relates the key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: |-
                                                operator represents a key's relationship to a set of values.
                                                Valid operators are In, NotIn, Exists and DoesNotExist.
                                              type: string
                                            values:
                                              description: |-
                                                values is an array of string values. If the operator is In or NotIn,
                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                              x-kubernetes-list-type: atomic
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                        x-kubernetes-list-type: atomic
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: |-
                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    items:
                                      type: string
                                    type: array
                                type: object
                              type: array
                          type: object
                        verifyImages:
                          description: VerifyImages is used to verify image signatures
                            and mutate them to add a digest
                          items:
                            description: |-
                              ImageVerification validates that images that match the specified pattern
                              are signed with the supplied public key. Once the image is verified it is
                              mutated to include the SHA digest retrieved during the registration.
                            properties:
                              additionalExtensions:
                                additionalProperties:
                                  type: string
                                description: Deprecated.
                                type: object
                              annotations:
                                additionalProperties:
                                  type: string
                                description: Deprecated. Use annotations per Attestor
                                  instead.
                                type: object
                              attestations:
                                description: |-
                                  Attestations are optional checks for signed in-toto Statements used to verify the image.
                                  See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
                                  OCI registry and decodes them into a list of Statement declarations.
                                items:
                                  description: |-
                                    Attestation are checks for signed in-toto Statements that are used to verify the image.
                                    See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
                                    OCI registry and decodes them into a list of Statements.
                                  properties:
                                    attestors:
                                      description: Attestors specify the required
                                        attestors (i.e. authorities).
                                      items:
                                        properties:
                                          count:
                                            description: |-
                                              Count specifies the required number of entries that must match. If the count is null, all entries must match
                                              (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                              value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                            minimum: 1
                                            type: integer
                                          entries:
                                            description: |-
                                              Entries contains the available attestors. An attestor can be a static key,
                                              attributes for keyless verification, or a nested attestor declaration.
                                            items:
                                              properties:
                                                annotations:
                                                  additionalProperties:
                                                    type: string
                                                  description: |-
                                                    Annotations are used for image verification.
                                                    Every specified key-value pair must exist and match in the verified payload.
                                                    The payload may contain other key-value pairs.
                                                  type: object
                                                attestor:
                                                  description: Attestor is a nested
                                                    set of Attestor used to specify
                                                    a more complex set of match authorities.
                                                  x-kubernetes-preserve-unknown-fields: true
                                                certificates:
                                                  description: Certificates specifies
                                                    one or more certificates.
                                                  properties:
                                                    cert:
                                                      description: Cert is an optional
                                                        PEM-encoded public certificate.
                                                      type: string
                                                    certChain:
                                                      description: CertChain is an
                                                        optional PEM encoded set of
                                                        certificates used to verify.
                                                      type: string
                                                    ctlog:
                                                      description: |-
                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: |-
                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                            timestamp. Default is false. Set to true if this was opted out during signing.
                                                          type: boolean
                                                        pubkey:
                                                          description: PubKey, if
                                                            set, is used to validate
                                                            SCTs against a custom
                                                            source.
                                                          type: string
                                                        tsaCertChain:
                                                          description: |-
                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                            may contain the leaf TSA certificate if not present in the timestamurce.
                                                          type: string
                                                      type: object
                                                    rekor:
                                                      description: |-
                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                      properties:
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skips transparency log
                                                            verification.
                                                          type: boolean
                                                        pubkey:
                                                          description: |-
                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            Rekor log instance https://rekor.sigstore.dev.
                                                          type: string
                                                      type: object
                                                  type: object
                                                keyless:
                                                  description: |-
                                                    Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                                    See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                                  properties:
                                                    additionalExtensions:
                                                      additionalProperties:
                                                        type: string
                                                      description: AdditionalExtensions
                                                        are certificate-extensions
                                                        used for keyless signing.
                                                      type: object
                                                    ctlog:
                                                      description: |-
                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: |-
                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                            timestamp. Default is false. Set to true if this was opted out during signing.
                                                          type: boolean
                                                        pubkey:
                                                          description: PubKey, if
                                                            set, is used to validate
                                                            SCTs against a custom
                                                            source.
                                                          type: string
                                                        tsaCertChain:
                                                          description: |-
                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                            may contain the leaf TSA certificate if not present in the timestamurce.
                                                          type: string
                                                      type: object
                                                    issuer:
                                                      description: Issuer is the certificate
                                                        issuer used for keyless signing.
                                                      type: string
                                                    rekor:
                                                      description: |-
                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                      properties:
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skips transparency log
                                                            verification.
                                                          type: boolean
                                                        pubkey:
                                                          description: |-
                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            Rekor log instance https://rekor.sigstore.dev.
                                                          type: string
                                                      type: object
                                                    roots:
                                                      description: |-
                                                        Roots is an optional set of PEM encoded trusted root certificates.
                                                        If not provided, the system roots are used.
                                                      type: string
                                                    subject:
                                                      description: Subject is the
                                                        verified identity used for
                                                        keyless signing, for example
                                                        the email address.
                                                      type: string
                                                  type: object
                                                keys:
                                                  description: Keys specifies one
                                                    or more public keys.
                                                  properties:
                                                    ctlog:
                                                      description: |-
                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: |-
                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                            timestamp. Default is false. Set to true if this was opted out during signing.
                                                          type: boolean
                                                        pubkey:
                                                          description: PubKey, if
                                                            set, is used to validate
                                                            SCTs against a custom
                                                            source.
                                                          type: string
                                                        tsaCertChain:
                                                          description: |-
                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                            may contain the leaf TSA certificate if not present in the timestamurce.
                                                          type: string
                                                      type: object
                                                    kms:
                                                      description: |-
                                                        KMS provides the URI to the public key stored in a Key Management System. See:
                                                        https://github.com/sigstore/cosign/blob/main/KMS.md
                                                      type: string
                                                    publicKeys:
                                                      description: |-
                                                        Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                                        specified or can be a variable reference to a key specified in a ConfigMap (see
                                                        https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                                        elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                        The named Secret must specify a key `cosign.pub` containing the public key used for
                                                        verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                        When multiple keys are specified each key is processed as a separate staticKey entry
                                                        (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                                      type: string
                                                    rekor:
                                                      description: |-
                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                      properties:
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skips transparency log
                                                            verification.
                                                          type: boolean
                                                        pubkey:
                                                          description: |-
                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            Rekor log instance https://rekor.sigstore.dev.
                                                          type: string
                                                      type: object
                                                    secret:
                                                      description: Reference to a
                                                        Secret resource that contains
                                                        a public key
                                                      properties:
                                                        name:
                                                          description: Name of the
                                                            secret. The provided secret
                                                            must contain a key named
                                                            cosign.pub.
                                                          type: string
                                                        namespace:
                                                          description: Namespace name
                                                            where the Secret exists.
                                                          type: string
                                                      required:
                                                      - name
                                                      - namespace
                                                      type: object
                                                    signatureAlgorithm:
                                                      default: sha256
                                                      description: Specify signature
                                                        algorithm for public keys.
                                                        Supported values are sha224,
                                                        sha256, sha384 and sha512.
                                                      type: string
                                                  type: object
                                                repository:
                                                  description: |-
                                                    Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                                    If specified Repository will override other OCI image repository locations for this Attestor.
                                                  type: string
                                              type: object
                                            type: array
                                        type: object
                                      type: array
                                    conditions:
                                      description: |-
                                        Conditions are used to verify attributes within a Predicate. If no Conditions are specified
                                        the attestation check is satisfied as long there are predicates that match the predicate type.
                                      items:
                                        description: |-
                                          AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
                                          AnyConditions get fulfilled when at least one of its sub-conditions passes.
                                          AllConditions get fulfilled only when all of its sub-conditions pass.
                                        properties:
                                          all:
                                            description: |-
                                              AllConditions enable variable-based conditional rule execution. This is useful for
                                              finer control of when an rule is applied. A condition can reference object data
                                              using JMESPath notation.
                                              Here, all of the conditions need to pass
                                            items:
                                              description: Condition defines variable-based
                                                conditional criteria for rule execution.
                                              properties:
                                                key:
                                                  description: Key is the context
                                                    entry (using JMESPath) for conditional
                                                    rule evaluation.
                                                  x-kubernetes-preserve-unknown-fields: true
                                                message:
                                                  description: Message is an optional
                                                    display message
                                                  type: string
                                                operator:
                                                  description: |-
                                                    Operator is the conditional operation to perform. Valid operators are:
                                                    Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                    GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                    DurationLessThanOrEquals, DurationLessThan
                                                  enum:
                                                  - Equals
                                                  - NotEquals
                                                  - In
                                                  - AnyIn
                                                  - AllIn
                                                  - NotIn
                                                  - AnyNotIn
                                                  - AllNotIn
                                                  - GreaterThanOrEquals
                                                  - GreaterThan
                                                  - LessThanOrEquals
                                                  - LessThan
                                                  - DurationGreaterThanOrEquals
                                                  - DurationGreaterThan
                                                  - DurationLessThanOrEquals
                                                  - DurationLessThan
                                                  type: string
                                                value:
                                                  description: |-
                                                    Value is the conditional value, or set of values. The values can be fixed set
                                                    or can be variables declared using JMESPath.
                                                  x-kubernetes-preserve-unknown-fields: true
                                              type: object
                                            type: array
                                          any:
                                            description: |-
                                              AnyConditions enable variable-based conditional rule execution. This is useful for
                                              finer control of when an rule is applied. A condition can reference object data
                                              using JMESPath notation.
                                              Here, at least one of the conditions need to pass
                                            items:
                                              description: Condition defines variable-based
                                                conditional criteria for rule execution.
                                              properties:
                                                key:
                                                  description: Key is the context
                                                    entry (using JMESPath) for conditional
                                                    rule evaluation.
                                                  x-kubernetes-preserve-unknown-fields: true
                                                message:
                                                  description: Message is an optional
                                                    display message
                                                  type: string
                                                operator:
                                                  description: |-
                                                    Operator is the conditional operation to perform. Valid operators are:
                                                    Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                                    GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                                                    DurationLessThanOrEquals, DurationLessThan
                                                  enum:
                                                  - Equals
                                                  - NotEquals
                                                  - In
                                                  - AnyIn
                                                  - AllIn
                                                  - NotIn
                                                  - AnyNotIn
                                                  - AllNotIn
                                                  - GreaterThanOrEquals
                                                  - GreaterThan
                                                  - LessThanOrEquals
                                                  - LessThan
                                                  - DurationGreaterThanOrEquals
                                                  - DurationGreaterThan
                                                  - DurationLessThanOrEquals
                                                  - DurationLessThan
                                                  type: string
                                                value:
                                                  description: |-
                                                    Value is the conditional value, or set of values. The values can be fixed set
                                                    or can be variables declared using JMESPath.
                                                  x-kubernetes-preserve-unknown-fields: true
                                              type: object
                                            type: array
                                        type: object
                                      type: array
                                    predicateType:
                                      description: Deprecated in favour of 'Type',
                                        to be removed soon
                                      type: string
                                    type:
                                      description: Type defines the type of attestation
                                        contained within the Statement.
                                      type: string
                                  type: object
                                type: array
                              attestors:
                                description: Attestors specified the required attestors
                                  (i.e. authorities)
                                items:
                                  properties:
                                    count:
                                      description: |-
                                        Count specifies the required number of entries that must match. If the count is null, all entries must match
                                        (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
                                        value N, then N must be less than or equal to the size of entries, and at least N entries must match.
                                      minimum: 1
                                      type: integer
                                    entries:
                                      description: |-
                                        Entries contains the available attestors. An attestor can be a static key,
                                        attributes for keyless verification, or a nested attestor declaration.
                                      items:
                                        properties:
                                          annotations:
                                            additionalProperties:
                                              type: string
                                            description: |-
                                              Annotations are used for image verification.
                                              Every specified key-value pair must exist and match in the verified payload.
                                              The payload may contain other key-value pairs.
                                            type: object
                                          attestor:
                                            description: Attestor is a nested set
                                              of Attestor used to specify a more complex
                                              set of match authorities.
                                            x-kubernetes-preserve-unknown-fields: true
                                          certificates:
                                            description: Certificates specifies one
                                              or more certificates.
                                            properties:
                                              cert:
                                                description: Cert is an optional PEM-encoded
                                                  public certificate.
                                                type: string
                                              certChain:
                                                description: CertChain is an optional
                                                  PEM encoded set of certificates
                                                  used to verify.
                                                type: string
                                              ctlog:
                                                description: |-
                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: |-
                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                      timestamp. Default is false. Set to true if this was opted out during signing.
                                                    type: boolean
                                                  pubkey:
                                                    description: PubKey, if set, is
                                                      used to validate SCTs against
                                                      a custom source.
                                                    type: string
                                                  tsaCertChain:
                                                    description: |-
                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                      may contain the leaf TSA certificate if not present in the timestamurce.
                                                    type: string
                                                type: object
                                              rekor:
                                                description: |-
                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                properties:
                                                  ignoreTlog:
                                                    description: IgnoreTlog skips
                                                      transparency log verification.
                                                    type: boolean
                                                  pubkey:
                                                    description: |-
                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public Rekor log instance
                                                      https://rekor.sigstore.dev.
                                                    type: string
                                                type: object
                                            type: object
                                          keyless:
                                            description: |-
                                              Keyless is a set of attribute used to verify a Sigstore keyless attestor.
                                              See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                            properties:
                                              additionalExtensions:
                                                additionalProperties:
                                                  type: string
                                                description: AdditionalExtensions
                                                  are certificate-extensions used
                                                  for keyless signing.
                                                type: object
                                              ctlog:
                                                description: |-
                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: |-
                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                      timestamp. Default is false. Set to true if this was opted out during signing.
                                                    type: boolean
                                                  pubkey:
                                                    description: PubKey, if set, is
                                                      used to validate SCTs against
                                                      a custom source.
                                                    type: string
                                                  tsaCertChain:
                                                    description: |-
                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                      may contain the leaf TSA certificate if not present in the timestamurce.
                                                    type: string
                                                type: object
                                              issuer:
                                                description: Issuer is the certificate
                                                  issuer used for keyless signing.
                                                type: string
                                              rekor:
                                                description: |-
                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                properties:
                                                  ignoreTlog:
                                                    description: IgnoreTlog skips
                                                      transparency log verification.
                                                    type: boolean
                                                  pubkey:
                                                    description: |-
                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public Rekor log instance
                                                      https://rekor.sigstore.dev.
                                                    type: string
                                                type: object
                                              roots:
                                                description: |-
                                                  Roots is an optional set of PEM encoded trusted root certificates.
                                                  If not provided, the system roots are used.
                                                type: string
                                              subject:
                                                description: Subject is the verified
                                                  identity used for keyless signing,
                                                  for example the email address.
                                                type: string
                                            type: object
                                          keys:
                                            description: Keys specifies one or more
                                              public keys.
                                            properties:
                                              ctlog:
                                                description: |-
                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: |-
                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
                                                      timestamp. Default is false. Set to true if this was opted out during signing.
                                                    type: boolean
                                                  pubkey:
                                                    description: PubKey, if set, is
                                                      used to validate SCTs against
                                                      a custom source.
                                                    type: string
                                                  tsaCertChain:
                                                    description: |-
                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
                                                      may contain the leaf TSA certificate if not present in the timestamurce.
                                                    type: string
                                                type: object
                                              kms:
                                                description: |-
                                                  KMS provides the URI to the public key stored in a Key Management System. See:
                                                  https://github.com/sigstore/cosign/blob/main/KMS.md
                                                type: string
                                              publicKeys:
                                                description: |-
                                                  Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
                                                  specified or can be a variable reference to a key specified in a ConfigMap (see
                                                  https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
                                                  elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                  The named Secret must specify a key `cosign.pub` containing the public key used for
                                                  verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                  When multiple keys are specified each key is processed as a separate staticKey entry
                                                  (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
                                                type: string
                                              rekor:
                                                description: |-
                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
                                                properties:
                                                  ignoreTlog:
                                                    description: IgnoreTlog skips
                                                      transparency log verification.
                                                    type: boolean
                                                  pubkey:
                                                    description: |-
                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public Rekor log instance
                                                      https://rekor.sigstore.dev.
                                                    type: string
                                                type: object
                                              secret:
                                                description: Reference to a Secret
                                                  resource that contains a public
                                                  key
                                                properties:
                                                  name:
                                                    description: Name of the secret.
                                                      The provided secret must contain
                                                      a key named cosign.pub.
                                                    type: string
                                                  namespace:
                                                    description: Namespace name where
                                                      the Secret exists.
                                                    type: string
                                                required:
                                                - name
                                                - namespace
                                                type: object
                                              signatureAlgorithm:
                                                default: sha256
                                                description: Specify signature algorithm
                                                  for public keys. Supported values
                                                  are sha224, sha256, sha384 and sha512.
                                                type: string
                                            type: object
                                          repository:
                                            description: |-
                                              Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
                                              If specified Repository will override other OCI image repository locations for this Attestor.
                                            type: string
                                        type: object
                                      type: array
                                  type: object
                                type: array
                              cosignOCI11:
                                description: |-
                                  CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
                                  Defaults to false.
                                type: boolean
                              image:
                                description: Deprecated. Use ImageReferences instead.
                                type: string
                              imageReferences:
                                description: |-
                                  ImageReferences is a list of matching image reference patterns. At least one pattern in the
                                  list must match the image for the rule to apply. Each image reference consists of a registry
                                  address (defaults to docker.io), repository, image, and tag (defaults to latest).
                                  Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                                items:
                                  type: string
                                type: array
                              imageRegistryCredentials:
                                description: ImageRegistryCredentials provides credentials
                                  that will be used for authentication with registry.
                                properties:
                                  allowInsecureRegistry:
                                    description: AllowInsecureRegistry allows insecure
                                      access to a registry.
                                    type: boolean
                                  providers:
                                    description: |-
                                      Providers specifies a list of OCI Registry names, whose authentication providers are provided.
                                      It can be of one of these values: default,google,azure,amazon,github.
                                    items:
                                      description: ImageRegistryCredentialsProvidersType
                                        provides the list of credential providers
                                        required.
                                      enum:
                                      - default
                                      - amazon
                                      - azure
                                      - google
                                      - github
                                      type: string
                                    type: array
                                  secrets:
                                    description: |-
                                      Secrets specifies a list of secrets that are provided for credentials.
                                      Secrets must live in the Kyverno namespace.
                                    items:
                                      type: string
                                    type: array
                                type: object
                              issuer:
                                description: Deprecated. Use KeylessAttestor instead.
                                type: string
                              key:
                                description: Deprecated. Use StaticKeyAttestor instead.
                                type: string
                              mutateDigest:
                                default: true
                                description: |-
                                  MutateDigest enables replacement of image tags with digests.
                                  Defaults to true.
                                type: boolean
                              repository:
                                description: |-
                                  Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
                                  If specified Repository will override the default OCI image repository configured for the installation.
                                  The repository can also be overridden per Attestor or Attestation.
                                type: string
                              required:
                                default: true
                                description: Required validates that images are verified
                                  i.e. have matched passed a signature or attestation
                                  check.
                                type: boolean
                              roots:
                                description: Deprecated. Use KeylessAttestor instead.
                                type: string
                              skipImageReferences:
                                description: |-
                                  SkipImageReferences is a list of matching image reference patterns that should be skipped.
                                  At least one pattern in the list must match the image for the rule to be skipped. Each image reference
                                  consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
                                  Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                                items:
                                  type: string
                                type: array
                              subject:
                                description: Deprecated. Use KeylessAttestor instead.
                                type: string
                              type:
                                description: |-
                                  Type specifies the method of signature validation. The allowed options
                                  are Cosign and Notary. By default Cosign is used if a type is not specified.
                                enum:
                                - Cosign
                                - Notary
                                type: string
                              useCache:
                                default: true
                                description: UseCache enables caching of image verify
                                  responses for this rule.
                                type: boolean
                              verifyDigest:
                                default: true
                                description: VerifyDigest validates that images have
                                  a digest.
                                type: boolean
                            type: object
                          type: array
                      required:
                      - name
                      type: object
                    type: array
                type: object
              conditions:
                items:
                  description: "Condition contains details for one aspect of the current
                    state of this API Resource.\n---\nThis struct is intended for
                    direct use as an array at the field path .status.conditions.  For
                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
                    observations of a foo's current state.\n\t    // Known .status.conditions.type
                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
                    \   // other fields\n\t}"
                  properties:
                    lastTransitionTime:
                      description: |-
                        lastTransitionTime is the last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
                        message is a human readable message indicating details about the transition.
                        This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
                      description: |-
                        observedGeneration represents the .metadata.generation that the condition was set based upon.
                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
                        with respect to the current state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
                      description: |-
                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
                        Producers of specific condition types may define expected values and meanings for this field,
                        and whether the values are considered a guaranteed API.
                        The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
                      enum:
                      - "True"
                      - "False"
                      - Unknown
                      type: string
                    type:
                      description: |-
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        ---
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
                        useful (see .node.status.conditions), the ability to deconflict is important.
                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
                  required:
                  - lastTransitionTime
                  - message
                  - reason
                  - status
                  - type
                  type: object
                type: array
              ready:
                description: Deprecated in favor of Conditions
                type: boolean
              rulecount:
                description: |-
                  RuleCountStatus contains four variables which describes counts for
                  validate, generate, mutate and verify images rules
                properties:
                  generate:
                    description: Count for generate rules in policy
                    type: integer
                  mutate:
                    description: Count for mutate rules in policy
                    type: integer
                  validate:
                    description: Count for validate rules in policy
                    type: integer
                  verifyimages:
                    description: Count for verify image rules in policy
                    type: integer
                required:
                - generate
                - mutate
                - validate
                - verifyimages
                type: object
              validatingadmissionpolicy:
                description: ValidatingAdmissionPolicy contains status information
                properties:
                  generated:
                    description: Generated indicates whether a validating admission
                      policy is generated from the policy or not
                    type: boolean
                  message:
                    description: |-
                      Message is a human readable message indicating details about the generation of validating admission policy
                      It is an empty string when validating admission policy is successfully generated.
                    type: string
                required:
                - generated
                - message
                type: object
            required:
            - ready
            type: object
        required:
        - spec
        type: object
    served: true
    storage: false
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: kyverno-crds
    app.kubernetes.io/version: v0.0.0
    helm.sh/chart: crds-v0.0.0
  annotations:
    controller-gen.kubebuilder.io/version: v0.15.0
  name: policyexceptions.kyverno.io
spec:
  group: kyverno.io
  names:
    categories:
    - kyverno
    kind: PolicyException
    listKind: PolicyExceptionList
    plural: policyexceptions
    shortNames:
    - polex
    singular: policyexception
  scope: Namespaced
  versions:
  - name: v2
    schema:
      openAPIV3Schema:
        description: PolicyException declares resources to be excluded from specified
          policies.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: Spec declares policy exception behaviors.
            properties:
              background:
                description: |-
                  Background controls if exceptions are applied to existing policies during a background scan.
                  Optional. Default value is "true". The value must be set to "false" if the policy rule
                  uses variables that are only available in the admission review request (e.g. user name).
                type: boolean
              conditions:
                description: |-
                  Conditions are used to determine if a resource applies to the exception by evaluating a
                  set of conditions. The declaration can contain nested `any` or `all` statements.
                properties:
                  all:
                    description: |-
                      AllConditions enable variable-based conditional rule execution. This is useful for
                      finer control of when an rule is applied. A condition can reference object data
                      using JMESPath notation.
                      Here, all of the conditions need to pass.
                    items:
                      properties:
                        key:
                          description: Key is the context entry (using JMESPath) for
                            conditional rule evaluation.
                          x-kubernetes-preserve-unknown-fields: true
                        message:
                          description: Message is an optional display message
                          type: string
                        operator:
                          description: |-
                            Operator is the conditional operation to perform. Valid operators are:
                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                            DurationLessThanOrEquals, DurationLessThan
                          enum:
                          - Equals
                          - NotEquals
                          - AnyIn
                          - AllIn
                          - AnyNotIn
                          - AllNotIn
                          - GreaterThanOrEquals
                          - GreaterThan
                          - LessThanOrEquals
                          - LessThan
                          - DurationGreaterThanOrEquals
                          - DurationGreaterThan
                          - DurationLessThanOrEquals
                          - DurationLessThan
                          type: string
                        value:
                          description: |-
                            Value is the conditional value, or set of values. The values can be fixed set
                            or can be variables declared using JMESPath.
                          x-kubernetes-preserve-unknown-fields: true
                      type: object
                    type: array
                  any:
                    description: |-
                      AnyConditions enable variable-based conditional rule execution. This is useful for
                      finer control of when an rule is applied. A condition can reference object data
                      using JMESPath notation.
                      Here, at least one of the conditions need to pass.
                    items:
                      properties:
                        key:
                          description: Key is the context entry (using JMESPath) for
                            conditional rule evaluation.
                          x-kubernetes-preserve-unknown-fields: true
                        message:
                          description: Message is an optional display message
                          type: string
                        operator:
                          description: |-
                            Operator is the conditional operation to perform. Valid operators are:
                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                            DurationLessThanOrEquals, DurationLessThan
                          enum:
                          - Equals
                          - NotEquals
                          - AnyIn
                          - AllIn
                          - AnyNotIn
                          - AllNotIn
                          - GreaterThanOrEquals
                          - GreaterThan
                          - LessThanOrEquals
                          - LessThan
                          - DurationGreaterThanOrEquals
                          - DurationGreaterThan
                          - DurationLessThanOrEquals
                          - DurationLessThan
                          type: string
                        value:
                          description: |-
                            Value is the conditional value, or set of values. The values can be fixed set
                            or can be variables declared using JMESPath.
                          x-kubernetes-preserve-unknown-fields: true
                      type: object
                    type: array
                type: object
              exceptions:
                description: Exceptions is a list policy/rules to be excluded
                items:
                  description: Exception stores infos about a policy and rules
                  properties:
                    policyName:
                      description: |-
                        PolicyName identifies the policy to which the exception is applied.
                        The policy name uses the format <namespace>/<name> unless it
                        references a ClusterPolicy.
                      type: string
                    ruleNames:
                      description: RuleNames identifies the rules to which the exception
                        is applied.
                      items:
                        type: string
                      type: array
                  required:
                  - policyName
                  - ruleNames
                  type: object
                type: array
              match:
                description: Match defines match clause used to check if a resource
                  applies to the exception
                properties:
                  all:
                    description: All allows specifying resources which will be ANDed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                  any:
                    description: Any allows specifying resources which will be ORed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                type: object
              podSecurity:
                description: |-
                  PodSecurity specifies the Pod Security Standard controls to be excluded.
                  Applicable only to policies that have validate.podSecurity subrule.
                items:
                  description: PodSecurityStandard specifies the Pod Security Standard
                    controls to be excluded.
                  properties:
                    controlName:
                      description: |-
                        ControlName specifies the name of the Pod Security Standard control.
                        See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
                      enum:
                      - HostProcess
                      - Host Namespaces
                      - Privileged Containers
                      - Capabilities
                      - HostPath Volumes
                      - Host Ports
                      - AppArmor
                      - SELinux
                      - /proc Mount Type
                      - Seccomp
                      - Sysctls
                      - Volume Types
                      - Privilege Escalation
                      - Running as Non-root
                      - Running as Non-root user
                      type: string
                    images:
                      description: |-
                        Images selects matching containers and applies the container level PSS.
                        Each image is the image name consisting of the registry address, repository, image, and tag.
                        Empty list matches no containers, PSS checks are applied at the pod level only.
                        Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                      items:
                        type: string
                      type: array
                    restrictedField:
                      description: |-
                        RestrictedField selects the field for the given Pod Security Standard control.
                        When not set, all restricted fields for the control are selected.
                      type: string
                    values:
                      description: Values defines the allowed values that can be excluded.
                      items:
                        type: string
                      type: array
                  required:
                  - controlName
                  type: object
                type: array
            required:
            - exceptions
            - match
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
  - deprecated: true
    name: v2beta1
    schema:
      openAPIV3Schema:
        description: PolicyException declares resources to be excluded from specified
          policies.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: Spec declares policy exception behaviors.
            properties:
              background:
                description: |-
                  Background controls if exceptions are applied to existing policies during a background scan.
                  Optional. Default value is "true". The value must be set to "false" if the policy rule
                  uses variables that are only available in the admission review request (e.g. user name).
                type: boolean
              conditions:
                description: |-
                  Conditions are used to determine if a resource applies to the exception by evaluating a
                  set of conditions. The declaration can contain nested `any` or `all` statements.
                properties:
                  all:
                    description: |-
                      AllConditions enable variable-based conditional rule execution. This is useful for
                      finer control of when an rule is applied. A condition can reference object data
                      using JMESPath notation.
                      Here, all of the conditions need to pass.
                    items:
                      properties:
                        key:
                          description: Key is the context entry (using JMESPath) for
                            conditional rule evaluation.
                          x-kubernetes-preserve-unknown-fields: true
                        message:
                          description: Message is an optional display message
                          type: string
                        operator:
                          description: |-
                            Operator is the conditional operation to perform. Valid operators are:
                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                            DurationLessThanOrEquals, DurationLessThan
                          enum:
                          - Equals
                          - NotEquals
                          - AnyIn
                          - AllIn
                          - AnyNotIn
                          - AllNotIn
                          - GreaterThanOrEquals
                          - GreaterThan
                          - LessThanOrEquals
                          - LessThan
                          - DurationGreaterThanOrEquals
                          - DurationGreaterThan
                          - DurationLessThanOrEquals
                          - DurationLessThan
                          type: string
                        value:
                          description: |-
                            Value is the conditional value, or set of values. The values can be fixed set
                            or can be variables declared using JMESPath.
                          x-kubernetes-preserve-unknown-fields: true
                      type: object
                    type: array
                  any:
                    description: |-
                      AnyConditions enable variable-based conditional rule execution. This is useful for
                      finer control of when an rule is applied. A condition can reference object data
                      using JMESPath notation.
                      Here, at least one of the conditions need to pass.
                    items:
                      properties:
                        key:
                          description: Key is the context entry (using JMESPath) for
                            conditional rule evaluation.
                          x-kubernetes-preserve-unknown-fields: true
                        message:
                          description: Message is an optional display message
                          type: string
                        operator:
                          description: |-
                            Operator is the conditional operation to perform. Valid operators are:
                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
                            DurationLessThanOrEquals, DurationLessThan
                          enum:
                          - Equals
                          - NotEquals
                          - AnyIn
                          - AllIn
                          - AnyNotIn
                          - AllNotIn
                          - GreaterThanOrEquals
                          - GreaterThan
                          - LessThanOrEquals
                          - LessThan
                          - DurationGreaterThanOrEquals
                          - DurationGreaterThan
                          - DurationLessThanOrEquals
                          - DurationLessThan
                          type: string
                        value:
                          description: |-
                            Value is the conditional value, or set of values. The values can be fixed set
                            or can be variables declared using JMESPath.
                          x-kubernetes-preserve-unknown-fields: true
                      type: object
                    type: array
                type: object
              exceptions:
                description: Exceptions is a list policy/rules to be excluded
                items:
                  description: Exception stores infos about a policy and rules
                  properties:
                    policyName:
                      description: |-
                        PolicyName identifies the policy to which the exception is applied.
                        The policy name uses the format <namespace>/<name> unless it
                        references a ClusterPolicy.
                      type: string
                    ruleNames:
                      description: RuleNames identifies the rules to which the exception
                        is applied.
                      items:
                        type: string
                      type: array
                  required:
                  - policyName
                  - ruleNames
                  type: object
                type: array
              match:
                description: Match defines match clause used to check if a resource
                  applies to the exception
                properties:
                  all:
                    description: All allows specifying resources which will be ANDed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                  any:
                    description: Any allows specifying resources which will be ORed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: |-
                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
                                and values support the wildcard characters "*" (matches zero or many characters) and
                                "?" (matches at least one character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: |-
                                Name is the name of the resource. The name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".
                              type: string
                            names:
                              description: |-
                                Names are the names of the resources. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: |-
                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
                                and `?` (matches one character).Wildcards allows writing label selectors like
                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
                                does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: |-
                                Namespaces is a list of namespaces names. Each name supports wildcard characters
                                "*" (matches zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: |-
                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
                                characters `*` (matches zero or many characters) and `?` (matches one character).
                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
                                using ["*" : "*"] matches any key and value but does not match an empty label set.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: |-
                                      A label selector requirement is a selector that contains values, a key, and an operator that
                                      relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: |-
                                          operator represents a key's relationship to a set of values.
                                          Valid operators are In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: |-
                                          values is an array of string values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                          the values array must be empty. This array is replaced during a strategic
                                          merge patch.
                                        items:
                                          type: string
                                        type: array
                                        x-kubernetes-list-type: atomic
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                  x-kubernetes-list-type: atomic
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: |-
                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: |-
                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
                              or a value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: |-
                                  APIGroup holds the API group of the referenced subject.
                                  Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
                                type: string
                              kind:
                                description: |-
                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
                                  the Authorizer should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                type: object
              podSecurity:
                description: |-
                  PodSecurity specifies the Pod Security Standard controls to be excluded.
                  Applicable only to policies that have validate.podSecurity subrule.
                items:
                  description: PodSecurityStandard specifies the Pod Security Standard
                    controls to be excluded.
                  properties:
                    controlName:
                      description: |-
                        ControlName specifies the name of the Pod Security Standard control.
                        See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
                      enum:
                      - HostProcess
                      - Host Namespaces
                      - Privileged Containers
                      - Capabilities
                      - HostPath Volumes
                      - Host Ports
                      - AppArmor
                      - SELinux
                      - /proc Mount Type
                      - Seccomp
                      - Sysctls
                      - Volume Types
                      - Privilege Escalation
                      - Running as Non-root
                      - Running as Non-root user
                      type: string
                    images:
                      description: |-
                        Images selects matching containers and applies the container level PSS.
                        Each image is the image name consisting of the registry address, repository, image, and tag.
                        Empty list matches no containers, PSS checks are applied at the pod level only.
                        Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                      items:
                        type: string
                      type: array
                    restrictedField:
                      description: |-
                        RestrictedField selects the field for the given Pod Security Standard control.
                        When not set, all restricted fields for the control are selected.
                      type: string
                    values:
                      description: Values defines the allowed values that can be excluded.
                      items:
                        type: string
                      type: array
                  required:
                  - controlName
                  type: object
                type: array
            required:
            - exceptions
            - match
            type: object
        required:
        - spec
        type: object
    served: true
    storage: false
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: kyverno-crds
    app.kubernetes.io/version: v0.0.0
    helm.sh/chart: crds-v0.0.0
  annotations:
    controller-gen.kubebuilder.io/version: v0.15.0
  name: updaterequests.kyverno.io
spec:
  group: kyverno.io
  names:
    categories:
    - kyverno
    kind: UpdateRequest
    listKind: UpdateRequestList
    plural: updaterequests
    shortNames:
    - ur
    singular: updaterequest
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - jsonPath: .spec.policy
      name: Policy
      type: string
    - jsonPath: .spec.rule
      name: Rule
      type: string
    - jsonPath: .spec.requestType
      name: RuleType
      type: string
    - jsonPath: .spec.resource.kind
      name: ResourceKind
      type: string
    - jsonPath: .spec.resource.name
      name: ResourceName
      type: string
    - jsonPath: .spec.resource.namespace
      name: ResourceNamespace
      type: string
    - jsonPath: .status.state
      name: status
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    deprecated: true
    name: v1beta1
    schema:
      openAPIV3Schema:
        description: UpdateRequest is a request to process mutate and generate rules
          in background.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: ResourceSpec is the information to identify the trigger resource.
            properties:
              context:
                description: Context ...
                properties:
                  admissionRequestInfo:
                    description: AdmissionRequestInfoObject stores the admission request
                      and operation details
                    properties:
                      admissionRequest:
                        description: AdmissionRequest describes the admission.Attributes
                          for the admission request.
                        properties:
                          dryRun:
                            description: |-
                              DryRun indicates that modifications will definitely not be persisted for this request.
                              Defaults to false.
                            type: boolean
                          kind:
                            description: Kind is the fully-qualified type of object
                              being submitted (for example, v1.Pod or autoscaling.v1.Scale)
                            properties:
                              group:
                                type: string
                              kind:
                                type: string
                              version:
                                type: string
                            required:
                            - group
                            - kind
                            - version
                            type: object
                          name:
                            description: |-
                              Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
                              rely on the server to generate the name.  If that is the case, this field will contain an empty string.
                            type: string
                          namespace:
                            description: Namespace is the namespace associated with
                              the request (if any).
                            type: string
                          object:
                            description: Object is the object from the incoming request.
                            type: object
                            x-kubernetes-preserve-unknown-fields: true
                          oldObject:
                            description: OldObject is the existing object. Only populated
                              for DELETE and UPDATE requests.
                            type: object
                            x-kubernetes-preserve-unknown-fields: true
                          operation:
                            description: |-
                              Operation is the operation being performed. This may be different than the operation
                              requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
                            type: string
                          options:
                            description: |-
                              Options is the operation option structure of the operation being performed.
                              e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
                              different than the options the caller provided. e.g. for a patch request the performed
                              Operation might be a CREATE, in which case the Options will a
                              `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
                            type: object
                            x-kubernetes-preserve-unknown-fields: true
                          requestKind:
                            description: |-
                              RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
                              If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.


                              For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
                              `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
                              an API request to apps/v1beta1 deployments would be converted and sent to the webhook
                              with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
                              and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).


                              See documentation for the "matchPolicy" field in the webhook configuration type for more details.
                            properties:
                              group:
                                type: string
                              kind:
                                type: string
                              version:
                                type: string
                            required:
                            - group
                            - kind
                            - version
                            type: object
                          requestResource:
                            description: |-
                              RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
                              If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.


                              For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
                              `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
                              an API request to apps/v1beta1 deployments would be converted and sent to the webhook
                              with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
                              and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).


                              See documentation for the "matchPolicy" field in the webhook configuration type.
                            properties:
                              group:
                                type: string
                              resource:
                                type: string
                              version:
                                type: string
                            required:
                            - group
                            - resource
                            - version
                            type: object
                          requestSubResource:
                            description: |-
                              RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
                              If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
                              See documentation for the "matchPolicy" field in the webhook configuration type.
                            type: string
                          resource:
                            description: Resource is the fully-qualified resource
                              being requested (for example, v1.pods)
                            properties:
                              group:
                                type: string
                              resource:
                                type: string
                              version:
                                type: string
                            required:
                            - group
                            - resource
                            - version
                            type: object
                          subResource:
                            description: SubResource is the subresource being requested,
                              if any (for example, "status" or "scale")
                            type: string
                          uid:
                            description: |-
                              UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
                              otherwise identical (parallel requests, requests when earlier requests did not modify etc)
                              The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
                              It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
                            type: string
                          userInfo:
                            description: UserInfo is information about the requesting
                              user
                            properties:
                              extra:
                                additionalProperties:
                                  description: ExtraValue masks the value so protobuf
                                    can generate
                                  items:
                                    type: string
                                  type: array
                                description: Any additional information provided by
                                  the authenticator.
                                type: object
                              groups:
                                description: The names of groups this user is a part
                                  of.
                                items:
                                  type: string
                                type: array
                                x-kubernetes-list-type: atomic
                              uid:
                                description: |-
                                  A unique value that identifies this user across time. If this user is
                                  deleted and another user by the same name is added, they will have
                                  different UIDs.
                                type: string
                              username:
                                description: The name that uniquely identifies this
                                  user among all active users.
                                type: string
                            type: object
                        required:
                        - kind
                        - operation
                        - resource
                        - uid
                        - userInfo
                        type: object
                      operation:
                        description: Operation is the type of resource operation being
                          checked for admission control
                        type: string
                    type: object
                  userInfo:
                    description: RequestInfo contains permission info carried in an
                      admission request.
                    properties:
                      clusterRoles:
                        description: ClusterRoles is a list of possible clusterRoles
                          send the request.
                        items:
                          type: string
                        nullable: true
                        type: array
                      roles:
                        description: Roles is a list of possible role send the request.
                        items:
                          type: string
                        nullable: true
                        type: array
                      userInfo:
                        description: UserInfo is the userInfo carried in the admission
                          request.
                        properties:
                          extra:
                            additionalProperties:
                              description: ExtraValue masks the value so protobuf
                                can generate
                              items:
                                type: string
                              type: array
                            description: Any additional information provided by the
                              authenticator.
                            type: object
                          groups:
                            description: The names of groups this user is a part of.
                            items:
                              type: string
                            type: array
                            x-kubernetes-list-type: atomic
                          uid:
                            description: |-
                              A unique value that identifies this user across time. If this user is
                              deleted and another user by the same name is added, they will have
                              different UIDs.
                            type: string
                          username:
                            description: The name that uniquely identifies this user
                              among all active users.
                            type: string
                        type: object
                    type: object
                type: object
              deleteDownstream:
                description: DeleteDownstream represents whether the downstream needs
                  to be deleted.
                type: boolean
              policy:
                description: Specifies the name of the policy.
                type: string
              requestType:
                description: Type represents request type for background processing
                enum:
                - mutate
                - generate
                type: string
              resource:
                description: ResourceSpec is the information to identify the trigger
                  resource.
                properties:
                  apiVersion:
                    description: APIVersion specifies resource apiVersion.
                    type: string
                  kind:
                    description: Kind specifies resource kind.
                    type: string
                  name:
                    description: Name specifies the resource name.
                    type: string
                  namespace:
                    description: Namespace specifies resource namespace.
                    type: string
                  uid:
                    description: UID specifies the resource uid.
                    type: string
                type: object
              rule:
                description: Rule is the associate rule name of the current UR.
                type: string
              synchronize:
                description: |-
                  Synchronize represents the sync behavior of the corresponding rule
                  Optional. Defaults to "false" if not specified.
                type: boolean
            required:
            - context
            - deleteDownstream
            - policy
            - resource
            - rule
            type: object
          status:
            description: Status contains statistics related to update request.
            properties:
              generatedResources:
                description: |-
                  This will track the resources that are updated by the generate Policy.
                  Will be used during clean up resources.
                items:
                  properties:
                    apiVersion:
                      description: APIVersion specifies resource apiVersion.
                      type: string
                    kind:
                      description: Kind specifies resource kind.
                      type: string
                    name:
                      description: Name specifies the resource name.
                      type: string
                    namespace:
                      description: Namespace specifies resource namespace.
                      type: string
                    uid:
                      description: UID specifies the resource uid.
                      type: string
                  type: object
                type: array
              handler:
                description: Deprecated
                type: string
              message:
                description: Specifies request status message.
                type: string
              retryCount:
                type: integer
              state:
                description: State represents state of the update request.
                type: string
            required:
            - state
            type: object
        type: object
    served: true
    storage: false
    subresources:
      status: {}
  - additionalPrinterColumns:
    - jsonPath: .spec.policy
      name: Policy
      type: string
    - jsonPath: .spec.requestType
      name: RuleType
      type: string
    - jsonPath: .spec.resource.kind
      name: ResourceKind
      type: string
    - jsonPath: .spec.resource.name
      name: ResourceName
      type: string
    - jsonPath: .spec.resource.namespace
      name: ResourceNamespace
      type: string
    - jsonPath: .status.state
      name: status
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v2
    schema:
      openAPIV3Schema:
        description: UpdateRequest is a request to process mutate and generate rules
          in background.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: ResourceSpec is the information to identify the trigger resource.
            properties:
              context:
                description: Context ...
                properties:
                  admissionRequestInfo:
                    description: AdmissionRequestInfoObject stores the admission request
                      and operation details
                    properties:
                      admissionRequest:
                        description: AdmissionRequest describes the admission.Attributes
                          for the admission request.
                        properties:
                          dryRun:
                            description: |-
                              DryRun indicates that modifications will definitely not be persisted for this request.
                              Defaults to false.
                            type: boolean
                          kind:
                            description: Kind is the fully-qualified type of object
                              being submitted (for example, v1.Pod or autoscaling.v1.Scale)
                            properties:
                              group:
                                type: string
                              kind:
                                type: string
                              version:
                                type: string
                            required:
                            - group
                            - kind
                            - version
                            type: object
                          name:
                            description: |-
                              Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
                              rely on the server to generate the name.  If that is the case, this field will contain an empty string.
                            type: string
                          namespace:
                            description: Namespace is the namespace associated with
                              the request (if any).
                            type: string
                          object:
                            description: Object is the object from the incoming request.
                            type: object
                            x-kubernetes-preserve-unknown-fields: true
                          oldObject:
                            description: OldObject is the existing object. Only populated
                              for DELETE and UPDATE requests.
                            type: object
                            x-kubernetes-preserve-unknown-fields: true
                          operation:
                            description: |-
                              Operation is the operation being performed. This may be different than the operation
                              requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
                            type: string
                          options:
                            description: |-
                              Options is the operation option structure of the operation being performed.
                              e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
                              different than the options the caller provided. e.g. for a patch request the performed
                              Operation might be a CREATE, in which case the Options will a
                              `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
                            type: object
                            x-kubernetes-preserve-unknown-fields: true
                          requestKind:
                            description: |-
                              RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
                              If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.


                              For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
                              `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
                              an API request to apps/v1beta1 deployments would be converted and sent to the webhook
                              with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
                              and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).


                              See documentation for the "matchPolicy" field in the webhook configuration type for more details.
                            properties:
                              group:
                                type: string
                              kind:
                                type: string
                              version:
                                type: string
                            required:
                            - group
                            - kind
                            - version
                            type: object
                          requestResource:
                            description: |-
                              RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
                              If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.


                              For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
                              `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
                              an API request to apps/v1beta1 deployments would be converted and sent to the webhook
                              with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
                              and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).


                              See documentation for the "matchPolicy" field in the webhook configuration type.
                            properties:
                              group:
                                type: string
                              resource:
                                type: string
                              version:
                                type: string
                            required:
                            - group
                            - resource
                            - version
                            type: object
                          requestSubResource:
                            description: |-
                              RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
                              If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
                              See documentation for the "matchPolicy" field in the webhook configuration type.
                            type: string
                          resource:
                            description: Resource is the fully-qualified resource
                              being requested (for example, v1.pods)
                            properties:
                              group:
                                type: string
                              resource:
                                type: string
                              version:
                                type: string
                            required:
                            - group
                            - resource
                            - version
                            type: object
                          subResource:
                            description: SubResource is the subresource being requested,
                              if any (for example, "status" or "scale")
                            type: string
                          uid:
                            description: |-
                              UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
                              otherwise identical (parallel requests, requests when earlier requests did not modify etc)
                              The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
                              It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
                            type: string
                          userInfo:
                            description: UserInfo is information about the requesting
                              user
                            properties:
                              extra:
                                additionalProperties:
                                  description: ExtraValue masks the value so protobuf
                                    can generate
                                  items:
                                    type: string
                                  type: array
                                description: Any additional information provided by
                                  the authenticator.
                                type: object
                              groups:
                                description: The names of groups this user is a part
                                  of.
                                items:
                                  type: string
                                type: array
                                x-kubernetes-list-type: atomic
                              uid:
                                description: |-
                                  A unique value that identifies this user across time. If this user is
                                  deleted and another user by the same name is added, they will have
                                  different UIDs.
                                type: string
                              username:
                                description: The name that uniquely identifies this
                                  user among all active users.
                                type: string
                            type: object
                        required:
                        - kind
                        - operation
                        - resource
                        - uid
                        - userInfo
                        type: object
                      operation:
                        description: Operation is the type of resource operation being
                          checked for admission control
                        type: string
                    type: object
                  userInfo:
                    description: RequestInfo contains permission info carried in an
                      admission request.
                    properties:
                      clusterRoles:
                        description: ClusterRoles is a list of possible clusterRoles
                          send the request.
                        items:
                          type: string
                        nullable: true
                        type: array
                      roles:
                        description: Roles is a list of possible role send the request.
                        items:
                          type: string
                        nullable: true
                        type: array
                      userInfo:
                        description: UserInfo is the userInfo carried in the admission
                          request.
                        properties:
                          extra:
                            additionalProperties:
                              description: ExtraValue masks the value so protobuf
                                can generate
                              items:
                                type: string
                              type: array
                            description: Any additional information provided by the
                              authenticator.
                            type: object
                          groups:
                            description: The names of groups this user is a part of.
                            items:
                              type: string
                            type: array
                            x-kubernetes-list-type: atomic
                          uid:
                            description: |-
                              A unique value that identifies this user across time. If this user is
                              deleted and another user by the same name is added, they will have
                              different UIDs.
                            type: string
                          username:
                            description: The name that uniquely identifies this user
                              among all active users.
                            type: string
                        type: object
                    type: object
                type: object
              deleteDownstream:
                description: DeleteDownstream represents whether the downstream needs
                  to be deleted.
                type: boolean
              policy:
                description: Specifies the name of the policy.
                type: string
              requestType:
                description: Type represents request type for background processing
                enum:
                - mutate
                - generate
                type: string
              resource:
                description: ResourceSpec is the information to identify the trigger
                  resource.
                properties:
                  apiVersion:
                    description: APIVersion specifies resource apiVersion.
                    type: string
                  kind:
                    description: Kind specifies resource kind.
                    type: string
                  name:
                    description: Name specifies the resource name.
                    type: string
                  namespace:
                    description: Namespace specifies resource namespace.
                    type: string
                  uid:
                    description: UID specifies the resource uid.
                    type: string
                type: object
              rule:
                description: Rule is the associate rule name of the current UR.
                type: string
              synchronize:
                description: |-
                  Synchronize represents the sync behavior of the corresponding rule
                  Optional. Defaults to "false" if not specified.
                type: boolean
            required:
            - context
            - deleteDownstream
            - policy
            - resource
            - rule
            type: object
          status:
            description: Status contains statistics related to update request.
            properties:
              generatedResources:
                description: |-
                  This will track the resources that are updated by the generate Policy.
                  Will be used during clean up resources.
                items:
                  properties:
                    apiVersion:
                      description: APIVersion specifies resource apiVersion.
                      type: string
                    kind:
                      description: Kind specifies resource kind.
                      type: string
                    name:
                      description: Name specifies the resource name.
                      type: string
                    namespace:
                      description: Namespace specifies resource namespace.
                      type: string
                    uid:
                      description: UID specifies the resource uid.
                      type: string
                  type: object
                type: array
              message:
                description: Specifies request status message.
                type: string
              retryCount:
                type: integer
              state:
                description: State represents state of the update request.
                type: string
            required:
            - state
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: kyverno-crds
    app.kubernetes.io/version: v0.0.0
    helm.sh/chart: crds-v0.0.0
  annotations:
    controller-gen.kubebuilder.io/version: v0.15.0
  name: clusterephemeralreports.reports.kyverno.io
spec:
  group: reports.kyverno.io
  names:
    categories:
    - kyverno
    kind: ClusterEphemeralReport
    listKind: ClusterEphemeralReportList
    plural: clusterephemeralreports
    shortNames:
    - cephr
    singular: clusterephemeralreport
  scope: Cluster
  versions:
  - additionalPrinterColumns:
    - jsonPath: .metadata.labels['audit\.kyverno\.io/source']
      name: Source
      type: string
    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.group']
      name: Group
      type: string
    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.kind']
      name: Kind
      type: string
    - jsonPath: .metadata.annotations['audit\.kyverno\.io/resource\.name']
      name: Owner
      type: string
    - jsonPath: .spec.summary.pass
      name: Pass
      type: integer
    - jsonPath: .spec.summary.fail
      name: Fail
      type: integer
    - jsonPath: .spec.summary.warn
      name: Warn
      type: integer
    - jsonPath: .spec.summary.error
      name: Error
      type: integer
    - jsonPath: .spec.summary.skip
      name: Skip
      type: integer
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.uid']
      name: Uid
      type: string
    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
      name: Hash
      priority: 1
      type: string
    name: v1
    schema:
      openAPIV3Schema:
        description: ClusterEphemeralReport is the Schema for the ClusterEphemeralReports
          API
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            properties:
              owner:
                description: Owner is a reference to the report owner (e.g. a Deployment,
                  Namespace, or Node)
                properties:
                  apiVersion:
                    description: API version of the referent.
                    type: string
                  blockOwnerDeletion:
                    description: |-
                      If true, AND if the owner has the "foregroundDeletion" finalizer, then
                      the owner cannot be deleted from the key-value store until this
                      reference is removed.
                      See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
                      for how the garbage collector interacts with this field and enforces the foreground deletion.
                      Defaults to false.
                      To set this field, a user needs "delete" permission of the owner,
                      otherwise 422 (Unprocessable Entity) will be returned.
                    type: boolean
                  controller:
                    description: If true, this reference points to the managing controller.
                    type: boolean
                  kind:
                    description: |-
                      Kind of the referent.
                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                    type: string
                  name:
                    description: |-
                      Name of the referent.
                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
                    type: string
                  uid:
                    description: |-
                      UID of the referent.
                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
                    type: string
                required:
                - apiVersion
                - kind
                - name
                - uid
                type: object
                x-kubernetes-map-type: atomic
              results:
                description: PolicyReportResult provides result details
                items:
                  description: PolicyReportResult provides the result for an individual
                    policy
                  properties:
                    category:
                      description: Category indicates policy category
                      type: string
                    message:
                      description: Description is a short user friendly message for
                        the policy rule
                      type: string
                    policy:
                      description: Policy is the name or identifier of the policy
                      type: string
                    properties:
                      additionalProperties:
                        type: string
                      description: Properties provides additional information for
                        the policy rule
                      type: object
                    resourceSelector:
                      description: |-
                        SubjectSelector is an optional label selector for checked Kubernetes resources.
                        For example, a policy result may apply to all pods that match a label.
                        Either a Subject or a SubjectSelector can be specified.
                        If neither are provided, the result is assumed to be for the policy report scope.
                      properties:
                        matchExpressions:
                          description: matchExpressions is a list of label selector
                            requirements. The requirements are ANDed.
                          items:
                            description: |-
                              A label selector requirement is a selector that contains values, a key, and an operator that
                              relates the key and values.
                            properties:
                              key:
                                description: key is the label key that the selector
                                  applies to.
                                type: string
                              operator:
                                description: |-
                                  operator represents a key's relationship to a set of values.
                                  Valid operators are In, NotIn, Exists and DoesNotExist.
                                type: string
                              values:
                                description: |-
                                  values is an array of string values. If the operator is In or NotIn,
                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                  the values array must be empty. This array is replaced during a strategic
                                  merge patch.
                                items:
                                  type: string
                                type: array
                                x-kubernetes-list-type: atomic
                            required:
                            - key
                            - operator
                            type: object
                          type: array
                          x-kubernetes-list-type: atomic
                        matchLabels:
                          additionalProperties:
                            type: string
                          description: |-
                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                            map is equivalent to an element of matchExpressions, whose key field is "key", the
                            operator is "In", and the values array contains only "value". The requirements are ANDed.
                          type: object
                      type: object
                      x-kubernetes-map-type: atomic
                    resources:
                      description: Subjects is an optional reference to the checked
                        Kubernetes resources
                      items:
                        description: |-
                          ObjectReference contains enough information to let you inspect or modify the referred object.
                          ---
                          New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
                           1. Ignored fields.  It includes many fields which are not generally honored.  For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
                           2. Invalid usage help.  It is impossible to add specific help for individual usage.  In most embedded usages, there are particular
                              restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
                              Those cannot be well described when embedded.
                           3. Inconsistent validation.  Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
                           4. The fields are both imprecise and overly precise.  Kind is not a precise mapping to a URL. This can produce ambiguity
                              during interpretation and require a REST mapping.  In most cases, the dependency is on the group,resource tuple
                              and the version of the actual struct is irrelevant.
                           5. We cannot easily change it.  Because this type is embedded in many locations, updates to this type
                              will affect numerous schemas.  Don't make new APIs embed an underspecified API type they do not control.


                          Instead of using this type, create a locally provided and used type that is well-focused on your reference.
                          For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
                        properties:
                          apiVersion:
                            description: API version of the referent.
                            type: string
                          fieldPath:
                            description: |-
                              If referring to a piece of an object instead of an entire object, this string
                              should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
                              For example, if the object reference is to a container within a pod, this would take on a value like:
                              "spec.containers{name}" (where "name" refers to the name of the container that triggered
                              the event) or if no container name is specified "spec.containers[2]" (container with
                              index 2 in this pod). This syntax is chosen only to have some well-defined way of
                              referencing a part of an object.
                              TODO: this design is not final and this field is subject to change in the future.
                            type: string
                          kind:
                            description: |-
                              Kind of the referent.
                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                            type: string
                          name:
                            description: |-
                              Name of the referent.
                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                            type: string
                          namespace:
                            description: |-
                              Namespace of the referent.
                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                            type: string
                          resourceVersion:
                            description: |-
                              Specific resourceVersion to which this reference is made, if any.
                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
                            type: string
                          uid:
                            description: |-
                              UID of the referent.
                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
                            type: string
                        type: object
                        x-kubernetes-map-type: atomic
                      type: array
                    result:
                      description: Result indicates the outcome of the policy rule
                        execution
                      enum:
                      - pass
                      - fail
                      - warn
                      - error
                      - skip
                      type: string
                    rule:
                      description: Rule is the name or identifier of the rule within
                        the policy
                      type: string
                    scored:
                      description: Scored indicates if this result is scored
                      type: boolean
                    severity:
                      description: Severity indicates policy check result criticality
                      enum:
                      - critical
                      - high
                      - low
                      - medium
                      - info
                      type: string
                    source:
                      description: Source is an identifier for the policy engine that
                        manages this report
                      type: string
                    timestamp:
                      description: Timestamp indicates the time the result was found
                      properties:
                        nanos:
                          description: |-
                            Non-negative fractions of a second at nanosecond resolution. Negative
                            second values with fractions must still have non-negative nanos values
                            that count forward in time. Must be from 0 to 999,999,999
                            inclusive. This field may be limited in precision depending on context.
                          format: int32
                          type: integer
                        seconds:
                          description: |-
                            Represents seconds of UTC time since Unix epoch
                            1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
                            9999-12-31T23:59:59Z inclusive.
                          format: int64
                          type: integer
                      required:
                      - nanos
                      - seconds
                      type: object
                  required:
                  - policy
                  type: object
                type: array
              summary:
                description: PolicyReportSummary provides a summary of results
                properties:
                  error:
                    description: Error provides the count of policies that could not
                      be evaluated
                    type: integer
                  fail:
                    description: Fail provides the count of policies whose requirements
                      were not met
                    type: integer
                  pass:
                    description: Pass provides the count of policies whose requirements
                      were met
                    type: integer
                  skip:
                    description: Skip indicates the count of policies that were not
                      selected for evaluation
                    type: integer
                  warn:
                    description: Warn provides the count of non-scored policies whose
                      requirements were not met
                    type: integer
                type: object
            required:
            - owner
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: kyverno-crds
    app.kubernetes.io/version: v0.0.0
    helm.sh/chart: crds-v0.0.0
  annotations:
    controller-gen.kubebuilder.io/version: v0.15.0
  name: ephemeralreports.reports.kyverno.io
spec:
  group: reports.kyverno.io
  names:
    categories:
    - kyverno
    kind: EphemeralReport
    listKind: EphemeralReportList
    plural: ephemeralreports
    shortNames:
    - ephr
    singular: ephemeralreport
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - jsonPath: .metadata.labels['audit\.kyverno\.io/source']
      name: Source
      type: string
    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.group']
      name: Group
      type: string
    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.kind']
      name: Kind
      type: string
    - jsonPath: .metadata.annotations['audit\.kyverno\.io/resource\.name']
      name: Owner
      type: string
    - jsonPath: .spec.summary.pass
      name: Pass
      type: integer
    - jsonPath: .spec.summary.fail
      name: Fail
      type: integer
    - jsonPath: .spec.summary.warn
      name: Warn
      type: integer
    - jsonPath: .spec.summary.error
      name: Error
      type: integer
    - jsonPath: .spec.summary.skip
      name: Skip
      type: integer
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.uid']
      name: Uid
      priority: 1
      type: string
    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
      name: Hash
      priority: 1
      type: string
    name: v1
    schema:
      openAPIV3Schema:
        description: EphemeralReport is the Schema for the EphemeralReports API
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            properties:
              owner:
                description: Owner is a reference to the report owner (e.g. a Deployment,
                  Namespace, or Node)
                properties:
                  apiVersion:
                    description: API version of the referent.
                    type: string
                  blockOwnerDeletion:
                    description: |-
                      If true, AND if the owner has the "foregroundDeletion" finalizer, then
                      the owner cannot be deleted from the key-value store until this
                      reference is removed.
                      See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
                      for how the garbage collector interacts with this field and enforces the foreground deletion.
                      Defaults to false.
                      To set this field, a user needs "delete" permission of the owner,
                      otherwise 422 (Unprocessable Entity) will be returned.
                    type: boolean
                  controller:
                    description: If true, this reference points to the managing controller.
                    type: boolean
                  kind:
                    description: |-
                      Kind of the referent.
                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                    type: string
                  name:
                    description: |-
                      Name of the referent.
                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
                    type: string
                  uid:
                    description: |-
                      UID of the referent.
                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
                    type: string
                required:
                - apiVersion
                - kind
                - name
                - uid
                type: object
                x-kubernetes-map-type: atomic
              results:
                description: PolicyReportResult provides result details
                items:
                  description: PolicyReportResult provides the result for an individual
                    policy
                  properties:
                    category:
                      description: Category indicates policy category
                      type: string
                    message:
                      description: Description is a short user friendly message for
                        the policy rule
                      type: string
                    policy:
                      description: Policy is the name or identifier of the policy
                      type: string
                    properties:
                      additionalProperties:
                        type: string
                      description: Properties provides additional information for
                        the policy rule
                      type: object
                    resourceSelector:
                      description: |-
                        SubjectSelector is an optional label selector for checked Kubernetes resources.
                        For example, a policy result may apply to all pods that match a label.
                        Either a Subject or a SubjectSelector can be specified.
                        If neither are provided, the result is assumed to be for the policy report scope.
                      properties:
                        matchExpressions:
                          description: matchExpressions is a list of label selector
                            requirements. The requirements are ANDed.
                          items:
                            description: |-
                              A label selector requirement is a selector that contains values, a key, and an operator that
                              relates the key and values.
                            properties:
                              key:
                                description: key is the label key that the selector
                                  applies to.
                                type: string
                              operator:
                                description: |-
                                  operator represents a key's relationship to a set of values.
                                  Valid operators are In, NotIn, Exists and DoesNotExist.
                                type: string
                              values:
                                description: |-
                                  values is an array of string values. If the operator is In or NotIn,
                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                  the values array must be empty. This array is replaced during a strategic
                                  merge patch.
                                items:
                                  type: string
                                type: array
                                x-kubernetes-list-type: atomic
                            required:
                            - key
                            - operator
                            type: object
                          type: array
                          x-kubernetes-list-type: atomic
                        matchLabels:
                          additionalProperties:
                            type: string
                          description: |-
                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                            map is equivalent to an element of matchExpressions, whose key field is "key", the
                            operator is "In", and the values array contains only "value". The requirements are ANDed.
                          type: object
                      type: object
                      x-kubernetes-map-type: atomic
                    resources:
                      description: Subjects is an optional reference to the checked
                        Kubernetes resources
                      items:
                        description: |-
                          ObjectReference contains enough information to let you inspect or modify the referred object.
                          ---
                          New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
                           1. Ignored fields.  It includes many fields which are not generally honored.  For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
                           2. Invalid usage help.  It is impossible to add specific help for individual usage.  In most embedded usages, there are particular
                              restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
                              Those cannot be well described when embedded.
                           3. Inconsistent validation.  Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
                           4. The fields are both imprecise and overly precise.  Kind is not a precise mapping to a URL. This can produce ambiguity
                              during interpretation and require a REST mapping.  In most cases, the dependency is on the group,resource tuple
                              and the version of the actual struct is irrelevant.
                           5. We cannot easily change it.  Because this type is embedded in many locations, updates to this type
                              will affect numerous schemas.  Don't make new APIs embed an underspecified API type they do not control.


                          Instead of using this type, create a locally provided and used type that is well-focused on your reference.
                          For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
                        properties:
                          apiVersion:
                            description: API version of the referent.
                            type: string
                          fieldPath:
                            description: |-
                              If referring to a piece of an object instead of an entire object, this string
                              should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
                              For example, if the object reference is to a container within a pod, this would take on a value like:
                              "spec.containers{name}" (where "name" refers to the name of the container that triggered
                              the event) or if no container name is specified "spec.containers[2]" (container with
                              index 2 in this pod). This syntax is chosen only to have some well-defined way of
                              referencing a part of an object.
                              TODO: this design is not final and this field is subject to change in the future.
                            type: string
                          kind:
                            description: |-
                              Kind of the referent.
                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                            type: string
                          name:
                            description: |-
                              Name of the referent.
                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                            type: string
                          namespace:
                            description: |-
                              Namespace of the referent.
                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                            type: string
                          resourceVersion:
                            description: |-
                              Specific resourceVersion to which this reference is made, if any.
                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
                            type: string
                          uid:
                            description: |-
                              UID of the referent.
                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
                            type: string
                        type: object
                        x-kubernetes-map-type: atomic
                      type: array
                    result:
                      description: Result indicates the outcome of the policy rule
                        execution
                      enum:
                      - pass
                      - fail
                      - warn
                      - error
                      - skip
                      type: string
                    rule:
                      description: Rule is the name or identifier of the rule within
                        the policy
                      type: string
                    scored:
                      description: Scored indicates if this result is scored
                      type: boolean
                    severity:
                      description: Severity indicates policy check result criticality
                      enum:
                      - critical
                      - high
                      - low
                      - medium
                      - info
                      type: string
                    source:
                      description: Source is an identifier for the policy engine that
                        manages this report
                      type: string
                    timestamp:
                      description: Timestamp indicates the time the result was found
                      properties:
                        nanos:
                          description: |-
                            Non-negative fractions of a second at nanosecond resolution. Negative
                            second values with fractions must still have non-negative nanos values
                            that count forward in time. Must be from 0 to 999,999,999
                            inclusive. This field may be limited in precision depending on context.
                          format: int32
                          type: integer
                        seconds:
                          description: |-
                            Represents seconds of UTC time since Unix epoch
                            1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
                            9999-12-31T23:59:59Z inclusive.
                          format: int64
                          type: integer
                      required:
                      - nanos
                      - seconds
                      type: object
                  required:
                  - policy
                  type: object
                type: array
              summary:
                description: PolicyReportSummary provides a summary of results
                properties:
                  error:
                    description: Error provides the count of policies that could not
                      be evaluated
                    type: integer
                  fail:
                    description: Fail provides the count of policies whose requirements
                      were not met
                    type: integer
                  pass:
                    description: Pass provides the count of policies whose requirements
                      were met
                    type: integer
                  skip:
                    description: Skip indicates the count of policies that were not
                      selected for evaluation
                    type: integer
                  warn:
                    description: Warn provides the count of non-scored policies whose
                      requirements were not met
                    type: integer
                type: object
            required:
            - owner
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: kyverno-crds
    app.kubernetes.io/version: v0.0.0
    helm.sh/chart: crds-v0.0.0
  annotations:
    controller-gen.kubebuilder.io/version: v0.15.0
  name: clusterpolicyreports.wgpolicyk8s.io
spec:
  group: wgpolicyk8s.io
  names:
    kind: ClusterPolicyReport
    listKind: ClusterPolicyReportList
    plural: clusterpolicyreports
    shortNames:
    - cpolr
    singular: clusterpolicyreport
  scope: Cluster
  versions:
  - additionalPrinterColumns:
    - jsonPath: .scope.kind
      name: Kind
      type: string
    - jsonPath: .scope.name
      name: Name
      type: string
    - jsonPath: .summary.pass
      name: Pass
      type: integer
    - jsonPath: .summary.fail
      name: Fail
      type: integer
    - jsonPath: .summary.warn
      name: Warn
      type: integer
    - jsonPath: .summary.error
      name: Error
      type: integer
    - jsonPath: .summary.skip
      name: Skip
      type: integer
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v1alpha2
    schema:
      openAPIV3Schema:
        description: ClusterPolicyReport is the Schema for the clusterpolicyreports
          API
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          results:
            description: PolicyReportResult provides result details
            items:
              description: PolicyReportResult provides the result for an individual
                policy
              properties:
                category:
                  description: Category indicates policy category
                  type: string
                message:
                  description: Description is a short user friendly message for the
                    policy rule
                  type: string
                policy:
                  description: Policy is the name or identifier of the policy
                  type: string
                properties:
                  additionalProperties:
                    type: string
                  description: Properties provides additional information for the
                    policy rule
                  type: object
                resourceSelector:
                  description: |-
                    SubjectSelector is an optional label selector for checked Kubernetes resources.
                    For example, a policy result may apply to all pods that match a label.
                    Either a Subject or a SubjectSelector can be specified.
                    If neither are provided, the result is assumed to be for the policy report scope.
                  properties:
                    matchExpressions:
                      description: matchExpressions is a list of label selector requirements.
                        The requirements are ANDed.
                      items:
                        description: |-
                          A label selector requirement is a selector that contains values, a key, and an operator that
                          relates the key and values.
                        properties:
                          key:
                            description: key is the label key that the selector applies
                              to.
                            type: string
                          operator:
                            description: |-
                              operator represents a key's relationship to a set of values.
                              Valid operators are In, NotIn, Exists and DoesNotExist.
                            type: string
                          values:
                            description: |-
                              values is an array of string values. If the operator is In or NotIn,
                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                              the values array must be empty. This array is replaced during a strategic
                              merge patch.
                            items:
                              type: string
                            type: array
                            x-kubernetes-list-type: atomic
                        required:
                        - key
                        - operator
                        type: object
                      type: array
                      x-kubernetes-list-type: atomic
                    matchLabels:
                      additionalProperties:
                        type: string
                      description: |-
                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                      type: object
                  type: object
                  x-kubernetes-map-type: atomic
                resources:
                  description: Subjects is an optional reference to the checked Kubernetes
                    resources
                  items:
                    description: |-
                      ObjectReference contains enough information to let you inspect or modify the referred object.
                      ---
                      New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
                       1. Ignored fields.  It includes many fields which are not generally honored.  For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
                       2. Invalid usage help.  It is impossible to add specific help for individual usage.  In most embedded usages, there are particular
                          restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
                          Those cannot be well described when embedded.
                       3. Inconsistent validation.  Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
                       4. The fields are both imprecise and overly precise.  Kind is not a precise mapping to a URL. This can produce ambiguity
                          during interpretation and require a REST mapping.  In most cases, the dependency is on the group,resource tuple
                          and the version of the actual struct is irrelevant.
                       5. We cannot easily change it.  Because this type is embedded in many locations, updates to this type
                          will affect numerous schemas.  Don't make new APIs embed an underspecified API type they do not control.


                      Instead of using this type, create a locally provided and used type that is well-focused on your reference.
                      For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
                    properties:
                      apiVersion:
                        description: API version of the referent.
                        type: string
                      fieldPath:
                        description: |-
                          If referring to a piece of an object instead of an entire object, this string
                          should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
                          For example, if the object reference is to a container within a pod, this would take on a value like:
                          "spec.containers{name}" (where "name" refers to the name of the container that triggered
                          the event) or if no container name is specified "spec.containers[2]" (container with
                          index 2 in this pod). This syntax is chosen only to have some well-defined way of
                          referencing a part of an object.
                          TODO: this design is not final and this field is subject to change in the future.
                        type: string
                      kind:
                        description: |-
                          Kind of the referent.
                          More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                        type: string
                      name:
                        description: |-
                          Name of the referent.
                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                        type: string
                      namespace:
                        description: |-
                          Namespace of the referent.
                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                        type: string
                      resourceVersion:
                        description: |-
                          Specific resourceVersion to which this reference is made, if any.
                          More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
                        type: string
                      uid:
                        description: |-
                          UID of the referent.
                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
                        type: string
                    type: object
                    x-kubernetes-map-type: atomic
                  type: array
                result:
                  description: Result indicates the outcome of the policy rule execution
                  enum:
                  - pass
                  - fail
                  - warn
                  - error
                  - skip
                  type: string
                rule:
                  description: Rule is the name or identifier of the rule within the
                    policy
                  type: string
                scored:
                  description: Scored indicates if this result is scored
                  type: boolean
                severity:
                  description: Severity indicates policy check result criticality
                  enum:
                  - critical
                  - high
                  - low
                  - medium
                  - info
                  type: string
                source:
                  description: Source is an identifier for the policy engine that
                    manages this report
                  type: string
                timestamp:
                  description: Timestamp indicates the time the result was found
                  properties:
                    nanos:
                      description: |-
                        Non-negative fractions of a second at nanosecond resolution. Negative
                        second values with fractions must still have non-negative nanos values
                        that count forward in time. Must be from 0 to 999,999,999
                        inclusive. This field may be limited in precision depending on context.
                      format: int32
                      type: integer
                    seconds:
                      description: |-
                        Represents seconds of UTC time since Unix epoch
                        1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
                        9999-12-31T23:59:59Z inclusive.
                      format: int64
                      type: integer
                  required:
                  - nanos
                  - seconds
                  type: object
              required:
              - policy
              type: object
            type: array
          scope:
            description: Scope is an optional reference to the report scope (e.g.
              a Deployment, Namespace, or Node)
            properties:
              apiVersion:
                description: API version of the referent.
                type: string
              fieldPath:
                description: |-
                  If referring to a piece of an object instead of an entire object, this string
                  should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
                  For example, if the object reference is to a container within a pod, this would take on a value like:
                  "spec.containers{name}" (where "name" refers to the name of the container that triggered
                  the event) or if no container name is specified "spec.containers[2]" (container with
                  index 2 in this pod). This syntax is chosen only to have some well-defined way of
                  referencing a part of an object.
                  TODO: this design is not final and this field is subject to change in the future.
                type: string
              kind:
                description: |-
                  Kind of the referent.
                  More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                type: string
              name:
                description: |-
                  Name of the referent.
                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                type: string
              namespace:
                description: |-
                  Namespace of the referent.
                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                type: string
              resourceVersion:
                description: |-
                  Specific resourceVersion to which this reference is made, if any.
                  More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
                type: string
              uid:
                description: |-
                  UID of the referent.
                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
                type: string
            type: object
            x-kubernetes-map-type: atomic
          scopeSelector:
            description: |-
              ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
              Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
            properties:
              matchExpressions:
                description: matchExpressions is a list of label selector requirements.
                  The requirements are ANDed.
                items:
                  description: |-
                    A label selector requirement is a selector that contains values, a key, and an operator that
                    relates the key and values.
                  properties:
                    key:
                      description: key is the label key that the selector applies
                        to.
                      type: string
                    operator:
                      description: |-
                        operator represents a key's relationship to a set of values.
                        Valid operators are In, NotIn, Exists and DoesNotExist.
                      type: string
                    values:
                      description: |-
                        values is an array of string values. If the operator is In or NotIn,
                        the values array must be non-empty. If the operator is Exists or DoesNotExist,
                        the values array must be empty. This array is replaced during a strategic
                        merge patch.
                      items:
                        type: string
                      type: array
                      x-kubernetes-list-type: atomic
                  required:
                  - key
                  - operator
                  type: object
                type: array
                x-kubernetes-list-type: atomic
              matchLabels:
                additionalProperties:
                  type: string
                description: |-
                  matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                  map is equivalent to an element of matchExpressions, whose key field is "key", the
                  operator is "In", and the values array contains only "value". The requirements are ANDed.
                type: object
            type: object
            x-kubernetes-map-type: atomic
          summary:
            description: PolicyReportSummary provides a summary of results
            properties:
              error:
                description: Error provides the count of policies that could not be
                  evaluated
                type: integer
              fail:
                description: Fail provides the count of policies whose requirements
                  were not met
                type: integer
              pass:
                description: Pass provides the count of policies whose requirements
                  were met
                type: integer
              skip:
                description: Skip indicates the count of policies that were not selected
                  for evaluation
                type: integer
              warn:
                description: Warn provides the count of non-scored policies whose
                  requirements were not met
                type: integer
            type: object
        type: object
    served: true
    storage: true
    subresources: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: kyverno-crds
    app.kubernetes.io/version: v0.0.0
    helm.sh/chart: crds-v0.0.0
  annotations:
    controller-gen.kubebuilder.io/version: v0.15.0
  name: policyreports.wgpolicyk8s.io
spec:
  group: wgpolicyk8s.io
  names:
    kind: PolicyReport
    listKind: PolicyReportList
    plural: policyreports
    shortNames:
    - polr
    singular: policyreport
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - jsonPath: .scope.kind
      name: Kind
      type: string
    - jsonPath: .scope.name
      name: Name
      type: string
    - jsonPath: .summary.pass
      name: Pass
      type: integer
    - jsonPath: .summary.fail
      name: Fail
      type: integer
    - jsonPath: .summary.warn
      name: Warn
      type: integer
    - jsonPath: .summary.error
      name: Error
      type: integer
    - jsonPath: .summary.skip
      name: Skip
      type: integer
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v1alpha2
    schema:
      openAPIV3Schema:
        description: PolicyReport is the Schema for the policyreports API
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          results:
            description: PolicyReportResult provides result details
            items:
              description: PolicyReportResult provides the result for an individual
                policy
              properties:
                category:
                  description: Category indicates policy category
                  type: string
                message:
                  description: Description is a short user friendly message for the
                    policy rule
                  type: string
                policy:
                  description: Policy is the name or identifier of the policy
                  type: string
                properties:
                  additionalProperties:
                    type: string
                  description: Properties provides additional information for the
                    policy rule
                  type: object
                resourceSelector:
                  description: |-
                    SubjectSelector is an optional label selector for checked Kubernetes resources.
                    For example, a policy result may apply to all pods that match a label.
                    Either a Subject or a SubjectSelector can be specified.
                    If neither are provided, the result is assumed to be for the policy report scope.
                  properties:
                    matchExpressions:
                      description: matchExpressions is a list of label selector requirements.
                        The requirements are ANDed.
                      items:
                        description: |-
                          A label selector requirement is a selector that contains values, a key, and an operator that
                          relates the key and values.
                        properties:
                          key:
                            description: key is the label key that the selector applies
                              to.
                            type: string
                          operator:
                            description: |-
                              operator represents a key's relationship to a set of values.
                              Valid operators are In, NotIn, Exists and DoesNotExist.
                            type: string
                          values:
                            description: |-
                              values is an array of string values. If the operator is In or NotIn,
                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                              the values array must be empty. This array is replaced during a strategic
                              merge patch.
                            items:
                              type: string
                            type: array
                            x-kubernetes-list-type: atomic
                        required:
                        - key
                        - operator
                        type: object
                      type: array
                      x-kubernetes-list-type: atomic
                    matchLabels:
                      additionalProperties:
                        type: string
                      description: |-
                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                      type: object
                  type: object
                  x-kubernetes-map-type: atomic
                resources:
                  description: Subjects is an optional reference to the checked Kubernetes
                    resources
                  items:
                    description: |-
                      ObjectReference contains enough information to let you inspect or modify the referred object.
                      ---
                      New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
                       1. Ignored fields.  It includes many fields which are not generally honored.  For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
                       2. Invalid usage help.  It is impossible to add specific help for individual usage.  In most embedded usages, there are particular
                          restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
                          Those cannot be well described when embedded.
                       3. Inconsistent validation.  Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
                       4. The fields are both imprecise and overly precise.  Kind is not a precise mapping to a URL. This can produce ambiguity
                          during interpretation and require a REST mapping.  In most cases, the dependency is on the group,resource tuple
                          and the version of the actual struct is irrelevant.
                       5. We cannot easily change it.  Because this type is embedded in many locations, updates to this type
                          will affect numerous schemas.  Don't make new APIs embed an underspecified API type they do not control.


                      Instead of using this type, create a locally provided and used type that is well-focused on your reference.
                      For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
                    properties:
                      apiVersion:
                        description: API version of the referent.
                        type: string
                      fieldPath:
                        description: |-
                          If referring to a piece of an object instead of an entire object, this string
                          should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
                          For example, if the object reference is to a container within a pod, this would take on a value like:
                          "spec.containers{name}" (where "name" refers to the name of the container that triggered
                          the event) or if no container name is specified "spec.containers[2]" (container with
                          index 2 in this pod). This syntax is chosen only to have some well-defined way of
                          referencing a part of an object.
                          TODO: this design is not final and this field is subject to change in the future.
                        type: string
                      kind:
                        description: |-
                          Kind of the referent.
                          More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                        type: string
                      name:
                        description: |-
                          Name of the referent.
                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                        type: string
                      namespace:
                        description: |-
                          Namespace of the referent.
                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                        type: string
                      resourceVersion:
                        description: |-
                          Specific resourceVersion to which this reference is made, if any.
                          More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
                        type: string
                      uid:
                        description: |-
                          UID of the referent.
                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
                        type: string
                    type: object
                    x-kubernetes-map-type: atomic
                  type: array
                result:
                  description: Result indicates the outcome of the policy rule execution
                  enum:
                  - pass
                  - fail
                  - warn
                  - error
                  - skip
                  type: string
                rule:
                  description: Rule is the name or identifier of the rule within the
                    policy
                  type: string
                scored:
                  description: Scored indicates if this result is scored
                  type: boolean
                severity:
                  description: Severity indicates policy check result criticality
                  enum:
                  - critical
                  - high
                  - low
                  - medium
                  - info
                  type: string
                source:
                  description: Source is an identifier for the policy engine that
                    manages this report
                  type: string
                timestamp:
                  description: Timestamp indicates the time the result was found
                  properties:
                    nanos:
                      description: |-
                        Non-negative fractions of a second at nanosecond resolution. Negative
                        second values with fractions must still have non-negative nanos values
                        that count forward in time. Must be from 0 to 999,999,999
                        inclusive. This field may be limited in precision depending on context.
                      format: int32
                      type: integer
                    seconds:
                      description: |-
                        Represents seconds of UTC time since Unix epoch
                        1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
                        9999-12-31T23:59:59Z inclusive.
                      format: int64
                      type: integer
                  required:
                  - nanos
                  - seconds
                  type: object
              required:
              - policy
              type: object
            type: array
          scope:
            description: Scope is an optional reference to the report scope (e.g.
              a Deployment, Namespace, or Node)
            properties:
              apiVersion:
                description: API version of the referent.
                type: string
              fieldPath:
                description: |-
                  If referring to a piece of an object instead of an entire object, this string
                  should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
                  For example, if the object reference is to a container within a pod, this would take on a value like:
                  "spec.containers{name}" (where "name" refers to the name of the container that triggered
                  the event) or if no container name is specified "spec.containers[2]" (container with
                  index 2 in this pod). This syntax is chosen only to have some well-defined way of
                  referencing a part of an object.
                  TODO: this design is not final and this field is subject to change in the future.
                type: string
              kind:
                description: |-
                  Kind of the referent.
                  More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                type: string
              name:
                description: |-
                  Name of the referent.
                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                type: string
              namespace:
                description: |-
                  Namespace of the referent.
                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                type: string
              resourceVersion:
                description: |-
                  Specific resourceVersion to which this reference is made, if any.
                  More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
                type: string
              uid:
                description: |-
                  UID of the referent.
                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
                type: string
            type: object
            x-kubernetes-map-type: atomic
          scopeSelector:
            description: |-
              ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
              Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
            properties:
              matchExpressions:
                description: matchExpressions is a list of label selector requirements.
                  The requirements are ANDed.
                items:
                  description: |-
                    A label selector requirement is a selector that contains values, a key, and an operator that
                    relates the key and values.
                  properties:
                    key:
                      description: key is the label key that the selector applies
                        to.
                      type: string
                    operator:
                      description: |-
                        operator represents a key's relationship to a set of values.
                        Valid operators are In, NotIn, Exists and DoesNotExist.
                      type: string
                    values:
                      description: |-
                        values is an array of string values. If the operator is In or NotIn,
                        the values array must be non-empty. If the operator is Exists or DoesNotExist,
                        the values array must be empty. This array is replaced during a strategic
                        merge patch.
                      items:
                        type: string
                      type: array
                      x-kubernetes-list-type: atomic
                  required:
                  - key
                  - operator
                  type: object
                type: array
                x-kubernetes-list-type: atomic
              matchLabels:
                additionalProperties:
                  type: string
                description: |-
                  matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                  map is equivalent to an element of matchExpressions, whose key field is "key", the
                  operator is "In", and the values array contains only "value". The requirements are ANDed.
                type: object
            type: object
            x-kubernetes-map-type: atomic
          summary:
            description: PolicyReportSummary provides a summary of results
            properties:
              error:
                description: Error provides the count of policies that could not be
                  evaluated
                type: integer
              fail:
                description: Fail provides the count of policies whose requirements
                  were not met
                type: integer
              pass:
                description: Pass provides the count of policies whose requirements
                  were met
                type: integer
              skip:
                description: Skip indicates the count of policies that were not selected
                  for evaluation
                type: integer
              warn:
                description: Warn provides the count of non-scored policies whose
                  requirements were not met
                type: integer
            type: object
        type: object
    served: true
    storage: true
    subresources: {}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:admission-controller
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
aggregationRule:
  clusterRoleSelectors:
    - matchLabels:
        app.kubernetes.io/component: admission-controller
        app.kubernetes.io/instance: kyverno
        app.kubernetes.io/part-of: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:admission-controller:core
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
rules:
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    verbs:
      - get
  - apiGroups:
      - admissionregistration.k8s.io
    resources:
      - mutatingwebhookconfigurations
      - validatingwebhookconfigurations
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
      - deletecollection
  - apiGroups:
      - rbac.authorization.k8s.io
    resources:
      - roles
      - clusterroles
      - rolebindings
      - clusterrolebindings
    verbs:
      - list
      - watch
  - apiGroups:
      - kyverno.io
    resources:
      - policies
      - policies/status
      - clusterpolicies
      - clusterpolicies/status
      - updaterequests
      - updaterequests/status
      - globalcontextentries
      - globalcontextentries/status
      - policyexceptions
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
      - deletecollection
  - apiGroups:
      - reports.kyverno.io
    resources:
      - ephemeralreports
      - clusterephemeralreports
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
      - deletecollection
  - apiGroups:
      - wgpolicyk8s.io
    resources:
      - policyreports
      - policyreports/status
      - clusterpolicyreports
      - clusterpolicyreports/status
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
      - deletecollection
  - apiGroups:
      - ''
      - events.k8s.io
    resources:
      - events
    verbs:
      - create
      - update
      - patch
  - apiGroups:
      - authorization.k8s.io
    resources:
      - subjectaccessreviews
    verbs:
      - create
  - apiGroups:
      - ''
    resources:
      - configmaps
      - namespaces
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - create
      - update
      - patch
      - get
      - list
      - watch
  - apiGroups:
    - '*'
    resources:
    - '*'
    verbs:
    - get
    - list
    - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:background-controller
  labels:
    app.kubernetes.io/component: background-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
aggregationRule:
  clusterRoleSelectors:
    - matchLabels:
        app.kubernetes.io/component: background-controller
        app.kubernetes.io/instance: kyverno
        app.kubernetes.io/part-of: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:background-controller:core
  labels:
    app.kubernetes.io/component: background-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
rules:
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    verbs:
      - get
  - apiGroups:
      - kyverno.io
    resources:
      - policies
      - clusterpolicies
      - policyexceptions
      - updaterequests
      - updaterequests/status
      - globalcontextentries
      - globalcontextentries/status
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
      - deletecollection
  - apiGroups:
      - ''
    resources:
      - namespaces
      - configmaps
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ''
      - events.k8s.io
    resources:
      - events
    verbs:
      - create
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
    - '*'
    resources:
    - '*'
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - networking.k8s.io
    resources:
    - ingresses
    - ingressclasses
    - networkpolicies
    verbs:
    - create
    - update
    - patch
    - delete
  - apiGroups:
    - rbac.authorization.k8s.io
    resources:
    - rolebindings
    - roles
    verbs:
    - create
    - update
    - patch
    - delete
  - apiGroups:
    - ""
    resources:
    - configmaps
    - secrets
    - resourcequotas
    - limitranges
    verbs:
    - create
    - update
    - patch
    - delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:cleanup-controller
  labels:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
aggregationRule:
  clusterRoleSelectors:
    - matchLabels:
        app.kubernetes.io/component: cleanup-controller
        app.kubernetes.io/instance: kyverno
        app.kubernetes.io/part-of: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:cleanup-controller:core
  labels:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
rules:
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    verbs:
      - get
  - apiGroups:
      - admissionregistration.k8s.io
    resources:
      - validatingwebhookconfigurations
    verbs:
      - create
      - delete
      - get
      - list
      - update
      - watch
  - apiGroups:
      - ''
    resources:
      - namespaces
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - kyverno.io
    resources:
      - clustercleanuppolicies
      - cleanuppolicies
    verbs:
      - list
      - watch
  - apiGroups:
      - kyverno.io
    resources:
      - globalcontextentries
      - globalcontextentries/status
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
      - deletecollection
  - apiGroups:
      - kyverno.io
    resources:
      - clustercleanuppolicies/status
      - cleanuppolicies/status
    verbs:
      - update
  - apiGroups:
      - ''
    resources:
      - configmaps
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ''
      - events.k8s.io
    resources:
      - events
    verbs:
      - create
      - patch
      - update
  - apiGroups:
      - authorization.k8s.io
    resources:
      - subjectaccessreviews
    verbs:
      - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:cleanup-jobs
  labels:
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
rules:
  - apiGroups:
      - kyverno.io
    resources:
      - updaterequests
    verbs:
      - list
      - deletecollection
      - delete
  - apiGroups:
      - reports.kyverno.io
    resources:
      - ephemeralreports
      - clusterephemeralreports
    verbs:
      - list
      - deletecollection
      - delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:rbac:admin:policies
  labels:
    app.kubernetes.io/component: rbac
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
  - apiGroups:
      - kyverno.io
    resources:
      - cleanuppolicies
      - clustercleanuppolicies
      - policies
      - clusterpolicies
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:rbac:view:policies
  labels:
    app.kubernetes.io/component: rbac
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
    rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
  - apiGroups:
      - kyverno.io
    resources:
      - cleanuppolicies
      - clustercleanuppolicies
      - policies
      - clusterpolicies
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:rbac:admin:policyreports
  labels:
    app.kubernetes.io/component: rbac
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
  - apiGroups:
      - wgpolicyk8s.io
    resources:
      - policyreports
      - clusterpolicyreports
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:rbac:view:policyreports
  labels:
    app.kubernetes.io/component: rbac
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
    rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
  - apiGroups:
      - wgpolicyk8s.io
    resources:
      - policyreports
      - clusterpolicyreports
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:rbac:admin:reports
  labels:
    app.kubernetes.io/component: rbac
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
  - apiGroups:
      - reports.kyverno.io
    resources:
      - ephemeralreports
      - clusterephemeralreports
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:rbac:view:reports
  labels:
    app.kubernetes.io/component: rbac
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
    rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
  - apiGroups:
      - reports.kyverno.io
    resources:
      - ephemeralreports
      - clusterephemeralreports
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:rbac:admin:updaterequests
  labels:
    app.kubernetes.io/component: rbac
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
  - apiGroups:
      - kyverno.io
    resources:
      - updaterequests
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:rbac:view:updaterequests
  labels:
    app.kubernetes.io/component: rbac
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
    rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
  - apiGroups:
      - kyverno.io
    resources:
      - updaterequests
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:reports-controller
  labels:
    app.kubernetes.io/component: reports-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
aggregationRule:
  clusterRoleSelectors:
    - matchLabels:
        app.kubernetes.io/component: reports-controller
        app.kubernetes.io/instance: kyverno
        app.kubernetes.io/part-of: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:reports-controller:core
  labels:
    app.kubernetes.io/component: reports-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
rules:
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    verbs:
      - get
  - apiGroups:
      - ''
    resources:
      - secrets
      - configmaps
      - namespaces
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - kyverno.io
    resources:
      - globalcontextentries
      - globalcontextentries/status
      - policyexceptions
      - policies
      - clusterpolicies
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
      - deletecollection
  - apiGroups:
      - reports.kyverno.io
    resources:
      - ephemeralreports
      - clusterephemeralreports
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
      - deletecollection
  - apiGroups:
      - wgpolicyk8s.io
    resources:
      - policyreports
      - policyreports/status
      - clusterpolicyreports
      - clusterpolicyreports/status
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
      - deletecollection
  - apiGroups:
      - ''
      - events.k8s.io
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
    - '*'
    resources:
    - '*'
    verbs:
    - get
    - list
    - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kyverno:admission-controller
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kyverno:admission-controller
subjects:
  - kind: ServiceAccount
    name: kyverno-admission-controller
    namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kyverno:background-controller
  labels:
    app.kubernetes.io/component: background-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kyverno:background-controller
subjects:
- kind: ServiceAccount
  name: kyverno-background-controller
  namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kyverno:cleanup-controller
  labels:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kyverno:cleanup-controller
subjects:
- kind: ServiceAccount
  name: kyverno-cleanup-controller
  namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kyverno:cleanup-jobs
  labels:
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kyverno:cleanup-jobs
subjects:
  - kind: ServiceAccount
    name: kyverno-cleanup-jobs
    namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kyverno:reports-controller
  labels:
    app.kubernetes.io/component: reports-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kyverno:reports-controller
subjects:
- kind: ServiceAccount
  name: kyverno-reports-controller
  namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: kyverno:admission-controller
  namespace: kyverno
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
rules:
  - apiGroups:
      - ''
    resources:
      - secrets
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - delete
  - apiGroups:
      - ''
    resources:
      - configmaps
    verbs:
      - get
      - list
      - watch
    resourceNames:
      - kyverno
      - kyverno-metrics
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - create
      - delete
      - get
      - patch
      - update
  # Allow update of Kyverno deployment annotations
  - apiGroups:
      - apps
    resources:
      - deployments
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: kyverno:background-controller
  labels:
    app.kubernetes.io/component: background-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  namespace: kyverno
rules:
  - apiGroups:
      - ''
    resources:
      - configmaps
    verbs:
      - get
      - list
      - watch
    resourceNames:
      - kyverno
      - kyverno-metrics
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - create
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - delete
      - get
      - patch
      - update
    resourceNames:
      - kyverno-background-controller
  - apiGroups:
      - ''
    resources:
      - secrets
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: kyverno:cleanup-controller
  labels:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  namespace: kyverno
rules:
  - apiGroups:
      - ''
    resources:
      - secrets
    verbs:
      - create
  - apiGroups:
      - ''
    resources:
      - secrets
    verbs:
      - delete
      - get
      - list
      - update
      - watch
    resourceNames:
      - kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca
      - kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair
  - apiGroups:
      - ''
    resources:
      - configmaps
    verbs:
      - get
      - list
      - watch
    resourceNames:
      - kyverno
      - kyverno-metrics
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - create
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - delete
      - get
      - patch
      - update
    resourceNames:
      - kyverno-cleanup-controller
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: kyverno:reports-controller
  labels:
    app.kubernetes.io/component: reports-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  namespace: kyverno
rules:
  - apiGroups:
      - ''
    resources:
      - configmaps
    verbs:
      - get
      - list
      - watch
    resourceNames:
      - kyverno
      - kyverno-metrics
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - create
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - delete
      - get
      - patch
      - update
    resourceNames:
      - kyverno-reports-controller
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kyverno:admission-controller
  namespace: kyverno
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kyverno:admission-controller
subjects:
  - kind: ServiceAccount
    name: kyverno-admission-controller
    namespace: kyverno
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kyverno:background-controller
  labels:
    app.kubernetes.io/component: background-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  namespace: kyverno
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kyverno:background-controller
subjects:
  - kind: ServiceAccount
    name: kyverno-background-controller
    namespace: kyverno
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kyverno:cleanup-controller
  labels:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  namespace: kyverno
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kyverno:cleanup-controller
subjects:
  - kind: ServiceAccount
    name: kyverno-cleanup-controller
    namespace: kyverno
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kyverno:reports-controller
  labels:
    app.kubernetes.io/component: reports-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  namespace: kyverno
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kyverno:reports-controller
subjects:
  - kind: ServiceAccount
    name: kyverno-reports-controller
    namespace: kyverno
---
apiVersion: v1
kind: Service
metadata:
  name: kyverno-svc
  namespace: kyverno
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
spec:
  ports:
  - port: 443
    targetPort: https
    protocol: TCP
    name: https
  selector:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
  type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
  name: kyverno-svc-metrics
  namespace: kyverno
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
spec:
  ports:
  - port: 8000
    targetPort: 8000
    protocol: TCP
    name: metrics-port
  selector:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
  type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
  name: kyverno-background-controller-metrics
  namespace: kyverno
  labels:
    app.kubernetes.io/component: background-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
spec:
  ports:
  - port: 8000
    targetPort: 8000
    protocol: TCP
    name: metrics-port
  selector:
    app.kubernetes.io/component: background-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
  type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
  name: kyverno-cleanup-controller
  namespace: kyverno
  labels:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
spec:
  ports:
  - port: 443
    targetPort: https
    protocol: TCP
    name: https
  selector:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
  type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
  name: kyverno-cleanup-controller-metrics
  namespace: kyverno
  labels:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
spec:
  ports:
  - port: 8000
    targetPort: 8000
    protocol: TCP
    name: metrics-port
  selector:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
  type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
  name: kyverno-reports-controller-metrics
  namespace: kyverno
  labels:
    app.kubernetes.io/component: reports-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
spec:
  ports:
  - port: 8000
    targetPort: 8000
    protocol: TCP
    name: metrics-port
  selector:
    app.kubernetes.io/component: reports-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
  type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: kyverno-admission-controller
  namespace: kyverno
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
spec:
  replicas: 
  revisionHistoryLimit: 10
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 40%
    type: RollingUpdate
  selector:
    matchLabels:
      app.kubernetes.io/component: admission-controller
      app.kubernetes.io/instance: kyverno
      app.kubernetes.io/part-of: kyverno
  template:
    metadata:
      labels:
        app.kubernetes.io/component: admission-controller
        app.kubernetes.io/instance: kyverno
        app.kubernetes.io/part-of: kyverno
        app.kubernetes.io/version: latest
    spec:
      dnsPolicy: ClusterFirst
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app.kubernetes.io/component
                  operator: In
                  values:
                  - admission-controller
              topologyKey: kubernetes.io/hostname
            weight: 1
      serviceAccountName: kyverno-admission-controller
      initContainers:
        - name: kyverno-pre
          image: "ghcr.io/kyverno/kyvernopre:latest"
          imagePullPolicy: IfNotPresent
          args:
            - --loggingFormat=text
            - --v=2
          resources:
            limits:
              cpu: 100m
              memory: 256Mi
            requests:
              cpu: 10m
              memory: 64Mi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
          env:
          - name: KYVERNO_SERVICEACCOUNT_NAME
            value: kyverno-admission-controller
          - name: INIT_CONFIG
            value: kyverno
          - name: METRICS_CONFIG
            value: kyverno-metrics
          - name: KYVERNO_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: KYVERNO_POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: KYVERNO_DEPLOYMENT
            value: kyverno-admission-controller
          - name: KYVERNO_SVC
            value: kyverno-svc
      containers:
        - name: kyverno
          image: "ghcr.io/kyverno/kyverno:latest"
          imagePullPolicy: IfNotPresent
          args:
            - --caSecretName=kyverno-svc.kyverno.svc.kyverno-tls-ca
            - --tlsSecretName=kyverno-svc.kyverno.svc.kyverno-tls-pair
            - --backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller
            - --servicePort=443
            - --webhookServerPort=9443
            - --disableMetrics=false
            - --otelConfig=prometheus
            - --metricsPort=8000
            - --admissionReports=true
            - --maxAdmissionReports=1000
            - --autoUpdateWebhooks=true
            - --enableConfigMapCaching=true
            - --enableDeferredLoading=true
            - --dumpPayload=false
            - --forceFailurePolicyIgnore=false
            - --generateValidatingAdmissionPolicy=false
            - --maxAPICallResponseLength=2000000
            - --loggingFormat=text
            - --v=2
            - --omitEvents=PolicyApplied,PolicySkipped
            - --enablePolicyException=true
            - --protectManagedResources=false
            - --allowInsecureRegistry=false
            - --registryCredentialHelpers=default,google,amazon,azure,github
            
          resources:
            limits:
              memory: 384Mi
            requests:
              cpu: 100m
              memory: 128Mi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
          ports:
          - containerPort: 9443
            name: https
            protocol: TCP
          - containerPort: 8000
            name: metrics-port
            protocol: TCP
          
          env:
          - name: INIT_CONFIG
            value: kyverno
          - name: METRICS_CONFIG
            value: kyverno-metrics
          - name: KYVERNO_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: KYVERNO_POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: KYVERNO_SERVICEACCOUNT_NAME
            value: kyverno-admission-controller
          - name: KYVERNO_SVC
            value: kyverno-svc
          - name: TUF_ROOT
            value: /.sigstore
          - name: KYVERNO_DEPLOYMENT
            value: kyverno-admission-controller
          startupProbe:
            failureThreshold: 20
            httpGet:
              path: /health/liveness
              port: 9443
              scheme: HTTPS
            initialDelaySeconds: 2
            periodSeconds: 6
          livenessProbe:
            failureThreshold: 2
            httpGet:
              path: /health/liveness
              port: 9443
              scheme: HTTPS
            initialDelaySeconds: 15
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 5
          readinessProbe:
            failureThreshold: 6
            httpGet:
              path: /health/readiness
              port: 9443
              scheme: HTTPS
            initialDelaySeconds: 5
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5
          volumeMounts:
            - mountPath: /.sigstore
              name: sigstore
      volumes:
      - name: sigstore
        emptyDir: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: kyverno-background-controller
  namespace: kyverno
  labels:
    app.kubernetes.io/component: background-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
spec:
  replicas: 
  revisionHistoryLimit: 10
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 40%
    type: RollingUpdate
  selector:
    matchLabels:
      app.kubernetes.io/component: background-controller
      app.kubernetes.io/instance: kyverno
      app.kubernetes.io/part-of: kyverno
  template:
    metadata:
      labels:
        app.kubernetes.io/component: background-controller
        app.kubernetes.io/instance: kyverno
        app.kubernetes.io/part-of: kyverno
        app.kubernetes.io/version: latest
    spec:
      dnsPolicy: ClusterFirst
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app.kubernetes.io/component
                  operator: In
                  values:
                  - background-controller
              topologyKey: kubernetes.io/hostname
            weight: 1
      serviceAccountName: kyverno-background-controller
      containers:
        - name: controller
          image: "ghcr.io/kyverno/background-controller:latest"
          imagePullPolicy: IfNotPresent
          ports:
          - containerPort: 9443
            name: https
            protocol: TCP
          - containerPort: 8000
            name: metrics
            protocol: TCP
          
          args:
            - --disableMetrics=false
            - --otelConfig=prometheus
            - --metricsPort=8000
            - --enableConfigMapCaching=true
            - --enableDeferredLoading=true
            - --maxAPICallResponseLength=2000000
            - --loggingFormat=text
            - --v=2
            - --omitEvents=PolicyApplied,PolicySkipped
            - --enablePolicyException=true
            
          env:
          - name: KYVERNO_SERVICEACCOUNT_NAME
            value: kyverno-background-controller
          - name: KYVERNO_DEPLOYMENT
            value: kyverno-background-controller
          - name: INIT_CONFIG
            value: kyverno
          - name: METRICS_CONFIG
            value: kyverno-metrics
          - name: KYVERNO_POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: KYVERNO_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          resources:
            limits:
              memory: 128Mi
            requests:
              cpu: 100m
              memory: 64Mi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: kyverno-cleanup-controller
  namespace: kyverno
  labels:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
spec:
  replicas: 
  revisionHistoryLimit: 10
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 40%
    type: RollingUpdate
  selector:
    matchLabels:
      app.kubernetes.io/component: cleanup-controller
      app.kubernetes.io/instance: kyverno
      app.kubernetes.io/part-of: kyverno
  template:
    metadata:
      labels:
        app.kubernetes.io/component: cleanup-controller
        app.kubernetes.io/instance: kyverno
        app.kubernetes.io/part-of: kyverno
        app.kubernetes.io/version: latest
    spec:
      dnsPolicy: ClusterFirst
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app.kubernetes.io/component
                  operator: In
                  values:
                  - cleanup-controller
              topologyKey: kubernetes.io/hostname
            weight: 1
      serviceAccountName: kyverno-cleanup-controller
      containers:
        - name: controller
          image: "ghcr.io/kyverno/cleanup-controller:latest"
          imagePullPolicy: IfNotPresent
          ports:
          - containerPort: 9443
            name: https
            protocol: TCP
          - containerPort: 8000
            name: metrics
            protocol: TCP
          
          args:
            - --caSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca
            - --tlsSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair
            - --servicePort=443
            - --cleanupServerPort=9443
            - --webhookServerPort=9443
            - --disableMetrics=false
            - --otelConfig=prometheus
            - --metricsPort=8000
            - --enableDeferredLoading=true
            - --dumpPayload=false
            - --maxAPICallResponseLength=2000000
            - --loggingFormat=text
            - --v=2
            - --protectManagedResources=false
            - --ttlReconciliationInterval=1m
            
          env:
          - name: KYVERNO_DEPLOYMENT
            value: kyverno-cleanup-controller
          - name: INIT_CONFIG
            value: kyverno
          - name: METRICS_CONFIG
            value: kyverno-metrics
          - name: KYVERNO_POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: KYVERNO_SERVICEACCOUNT_NAME
            value: kyverno-cleanup-controller
          - name: KYVERNO_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: KYVERNO_SVC
            value: kyverno-cleanup-controller
          resources:
            limits:
              memory: 128Mi
            requests:
              cpu: 100m
              memory: 64Mi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
          startupProbe:
            failureThreshold: 20
            httpGet:
              path: /health/liveness
              port: 9443
              scheme: HTTPS
            initialDelaySeconds: 2
            periodSeconds: 6
          livenessProbe:
            failureThreshold: 2
            httpGet:
              path: /health/liveness
              port: 9443
              scheme: HTTPS
            initialDelaySeconds: 15
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 5
          readinessProbe:
            failureThreshold: 6
            httpGet:
              path: /health/readiness
              port: 9443
              scheme: HTTPS
            initialDelaySeconds: 5
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: kyverno-reports-controller
  namespace: kyverno
  labels:
    app.kubernetes.io/component: reports-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
spec:
  replicas: 
  revisionHistoryLimit: 10
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 40%
    type: RollingUpdate
  selector:
    matchLabels:
      app.kubernetes.io/component: reports-controller
      app.kubernetes.io/instance: kyverno
      app.kubernetes.io/part-of: kyverno
  template:
    metadata:
      labels:
        app.kubernetes.io/component: reports-controller
        app.kubernetes.io/instance: kyverno
        app.kubernetes.io/part-of: kyverno
        app.kubernetes.io/version: latest
    spec:
      dnsPolicy: ClusterFirst
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app.kubernetes.io/component
                  operator: In
                  values:
                  - reports-controller
              topologyKey: kubernetes.io/hostname
            weight: 1
      serviceAccountName: kyverno-reports-controller
      containers:
        - name: controller
          image: "ghcr.io/kyverno/reports-controller:latest"
          imagePullPolicy: IfNotPresent
          ports:
          - containerPort: 9443
            name: https
            protocol: TCP
          - containerPort: 8000
            name: metrics
            protocol: TCP
          
          args:
            - --disableMetrics=false
            - --otelConfig=prometheus
            - --metricsPort=8000
            - --admissionReports=true
            - --aggregateReports=true
            - --policyReports=true
            - --validatingAdmissionPolicyReports=false
            - --backgroundScan=true
            - --backgroundScanWorkers=2
            - --backgroundScanInterval=1h
            - --skipResourceFilters=true
            - --enableConfigMapCaching=true
            - --enableDeferredLoading=true
            - --maxAPICallResponseLength=2000000
            - --loggingFormat=text
            - --v=2
            - --omitEvents=PolicyApplied,PolicySkipped
            - --enablePolicyException=true
            - --allowInsecureRegistry=false
            - --registryCredentialHelpers=default,google,amazon,azure,github
            
          env:
          - name: KYVERNO_SERVICEACCOUNT_NAME
            value: kyverno-reports-controller
          - name: KYVERNO_DEPLOYMENT
            value: kyverno-reports-controller
          - name: INIT_CONFIG
            value: kyverno
          - name: METRICS_CONFIG
            value: kyverno-metrics
          - name: KYVERNO_POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: KYVERNO_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: TUF_ROOT
            value: /.sigstore
          resources:
            limits:
              memory: 128Mi
            requests:
              cpu: 100m
              memory: 64Mi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
          volumeMounts:
            - mountPath: /.sigstore
              name: sigstore
      volumes:
      - name: sigstore
        emptyDir: {}