---
apiVersion: v1
kind: Namespace
metadata:
  name: kyverno
  labels:
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kyverno-admission-controller
  namespace: kyverno
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kyverno-background-controller
  namespace: kyverno
  labels:
    app.kubernetes.io/component: background-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kyverno-cleanup-controller
  namespace: kyverno
  labels:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kyverno-cleanup-jobs
  namespace: kyverno
  labels:
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kyverno-reports-controller
  namespace: kyverno
  labels:
    app.kubernetes.io/component: reports-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: kyverno
  namespace: kyverno
  labels:
    app.kubernetes.io/component: config
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
data:
  enableDefaultRegistryMutation: "true"
  defaultRegistry: "docker.io"
  generateSuccessEvents: "false"
  excludeGroups: "system:nodes"
  resourceFilters: >-
    [*/*,kyverno,*]
    [Event,*,*]
    [*/*,kube-system,*]
    [*/*,kube-public,*]
    [*/*,kube-node-lease,*]
    [Node,*,*]
    [Node/*,*,*]
    [APIService,*,*]
    [APIService/*,*,*]
    [TokenReview,*,*]
    [SubjectAccessReview,*,*]
    [SelfSubjectAccessReview,*,*]
    [Binding,*,*]
    [Pod/binding,*,*]
    [ReplicaSet,*,*]
    [ReplicaSet/*,*,*]
    [AdmissionReport,*,*]
    [AdmissionReport/*,*,*]
    [ClusterAdmissionReport,*,*]
    [ClusterAdmissionReport/*,*,*]
    [BackgroundScanReport,*,*]
    [BackgroundScanReport/*,*,*]
    [ClusterBackgroundScanReport,*,*]
    [ClusterBackgroundScanReport/*,*,*]
    [ClusterRole,*,kyverno:admission-controller]
    [ClusterRole,*,kyverno:admission-controller:core]
    [ClusterRole,*,kyverno:admission-controller:additional]
    [ClusterRole,*,kyverno:background-controller]
    [ClusterRole,*,kyverno:background-controller:core]
    [ClusterRole,*,kyverno:background-controller:additional]
    [ClusterRole,*,kyverno:cleanup-controller]
    [ClusterRole,*,kyverno:cleanup-controller:core]
    [ClusterRole,*,kyverno:cleanup-controller:additional]
    [ClusterRole,*,kyverno:reports-controller]
    [ClusterRole,*,kyverno:reports-controller:core]
    [ClusterRole,*,kyverno:reports-controller:additional]
    [ClusterRoleBinding,*,kyverno:admission-controller]
    [ClusterRoleBinding,*,kyverno:background-controller]
    [ClusterRoleBinding,*,kyverno:cleanup-controller]
    [ClusterRoleBinding,*,kyverno:reports-controller]
    [ServiceAccount,kyverno,kyverno-admission-controller]
    [ServiceAccount/*,kyverno,kyverno-admission-controller]
    [ServiceAccount,kyverno,kyverno-background-controller]
    [ServiceAccount/*,kyverno,kyverno-background-controller]
    [ServiceAccount,kyverno,kyverno-cleanup-controller]
    [ServiceAccount/*,kyverno,kyverno-cleanup-controller]
    [ServiceAccount,kyverno,kyverno-reports-controller]
    [ServiceAccount/*,kyverno,kyverno-reports-controller]
    [Role,kyverno,kyverno:admission-controller]
    [Role,kyverno,kyverno:background-controller]
    [Role,kyverno,kyverno:cleanup-controller]
    [Role,kyverno,kyverno:reports-controller]
    [RoleBinding,kyverno,kyverno:admission-controller]
    [RoleBinding,kyverno,kyverno:background-controller]
    [RoleBinding,kyverno,kyverno:cleanup-controller]
    [RoleBinding,kyverno,kyverno:reports-controller]
    [ConfigMap,kyverno,kyverno]
    [ConfigMap,kyverno,kyverno-metrics]
    [Deployment,kyverno,kyverno-admission-controller]
    [Deployment/*,kyverno,kyverno-admission-controller]
    [Deployment,kyverno,kyverno-background-controller]
    [Deployment/*,kyverno,kyverno-background-controller]
    [Deployment,kyverno,kyverno-cleanup-controller]
    [Deployment/*,kyverno,kyverno-cleanup-controller]
    [Deployment,kyverno,kyverno-reports-controller]
    [Deployment/*,kyverno,kyverno-reports-controller]
    [Pod,kyverno,kyverno-admission-controller-*]
    [Pod/*,kyverno,kyverno-admission-controller-*]
    [Pod,kyverno,kyverno-background-controller-*]
    [Pod/*,kyverno,kyverno-background-controller-*]
    [Pod,kyverno,kyverno-cleanup-controller-*]
    [Pod/*,kyverno,kyverno-cleanup-controller-*]
    [Pod,kyverno,kyverno-reports-controller-*]
    [Pod/*,kyverno,kyverno-reports-controller-*]
    [Job,kyverno,kyverno-hook-pre-delete]
    [Job/*,kyverno,kyverno-hook-pre-delete]
    [NetworkPolicy,kyverno,kyverno-admission-controller]
    [NetworkPolicy/*,kyverno,kyverno-admission-controller]
    [NetworkPolicy,kyverno,kyverno-background-controller]
    [NetworkPolicy/*,kyverno,kyverno-background-controller]
    [NetworkPolicy,kyverno,kyverno-cleanup-controller]
    [NetworkPolicy/*,kyverno,kyverno-cleanup-controller]
    [NetworkPolicy,kyverno,kyverno-reports-controller]
    [NetworkPolicy/*,kyverno,kyverno-reports-controller]
    [PodDisruptionBudget,kyverno,kyverno-admission-controller]
    [PodDisruptionBudget/*,kyverno,kyverno-admission-controller]
    [PodDisruptionBudget,kyverno,kyverno-background-controller]
    [PodDisruptionBudget/*,kyverno,kyverno-background-controller]
    [PodDisruptionBudget,kyverno,kyverno-cleanup-controller]
    [PodDisruptionBudget/*,kyverno,kyverno-cleanup-controller]
    [PodDisruptionBudget,kyverno,kyverno-reports-controller]
    [PodDisruptionBudget/*,kyverno,kyverno-reports-controller]
    [Service,kyverno,kyverno-svc]
    [Service/*,kyverno,kyverno-svc]
    [Service,kyverno,kyverno-svc-metrics]
    [Service/*,kyverno,kyverno-svc-metrics]
    [Service,kyverno,kyverno-background-controller-metrics]
    [Service/*,kyverno,kyverno-background-controller-metrics]
    [Service,kyverno,kyverno-cleanup-controller]
    [Service/*,kyverno,kyverno-cleanup-controller]
    [Service,kyverno,kyverno-cleanup-controller-metrics]
    [Service/*,kyverno,kyverno-cleanup-controller-metrics]
    [Service,kyverno,kyverno-reports-controller-metrics]
    [Service/*,kyverno,kyverno-reports-controller-metrics]
    [ServiceMonitor,kyverno,kyverno-admission-controller]
    [ServiceMonitor,kyverno,kyverno-background-controller]
    [ServiceMonitor,kyverno,kyverno-cleanup-controller]
    [ServiceMonitor,kyverno,kyverno-reports-controller]
    [Secret,kyverno,kyverno-svc.kyverno.svc.*]
    [Secret,kyverno,kyverno-cleanup-controller.kyverno.svc.*]
  webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno"]}]}}]'
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: kyverno-metrics
  namespace: kyverno
  labels:
    app.kubernetes.io/component: config
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
data:
  namespaces: "{\"exclude\":[],\"include\":[]}"
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  annotations:
    controller-gen.kubebuilder.io/version: v0.12.0
  name: admissionreports.kyverno.io
spec:
  group: kyverno.io
  names:
    categories:
    - kyverno
    kind: AdmissionReport
    listKind: AdmissionReportList
    plural: admissionreports
    shortNames:
    - admr
    singular: admissionreport
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - jsonPath: .metadata.creationTimestamp
      name: AGE
      type: date
    - jsonPath: .spec.summary.pass
      name: PASS
      type: integer
    - jsonPath: .spec.summary.fail
      name: FAIL
      type: integer
    - jsonPath: .spec.summary.warn
      name: WARN
      type: integer
    - jsonPath: .spec.summary.error
      name: ERROR
      type: integer
    - jsonPath: .spec.summary.skip
      name: SKIP
      type: integer
    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.gvr']
      name: GVR
      priority: 1
      type: string
    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.name']
      name: REF
      priority: 1
      type: string
    - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate']
      name: AGGREGATE
      priority: 1
      type: string
    name: v1alpha2
    schema:
      openAPIV3Schema:
        description: AdmissionReport is the Schema for the AdmissionReports API
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            properties:
              owner:
                description: Owner is a reference to the report owner (e.g. a Deployment,
                  Namespace, or Node)
                properties:
                  apiVersion:
                    description: API version of the referent.
                    type: string
                  blockOwnerDeletion:
                    description: If true, AND if the owner has the "foregroundDeletion"
                      finalizer, then the owner cannot be deleted from the key-value
                      store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
                      for how the garbage collector interacts with this field and
                      enforces the foreground deletion. Defaults to false. To set
                      this field, a user needs "delete" permission of the owner, otherwise
                      422 (Unprocessable Entity) will be returned.
                    type: boolean
                  controller:
                    description: If true, this reference points to the managing controller.
                    type: boolean
                  kind:
                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
                    type: string
                  name:
                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names'
                    type: string
                  uid:
                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids'
                    type: string
                required:
                - apiVersion
                - kind
                - name
                - uid
                type: object
                x-kubernetes-map-type: atomic
              results:
                description: PolicyReportResult provides result details
                items:
                  description: PolicyReportResult provides the result for an individual
                    policy
                  properties:
                    category:
                      description: Category indicates policy category
                      type: string
                    message:
                      description: Description is a short user friendly message for
                        the policy rule
                      type: string
                    policy:
                      description: Policy is the name or identifier of the policy
                      type: string
                    properties:
                      additionalProperties:
                        type: string
                      description: Properties provides additional information for
                        the policy rule
                      type: object
                    resourceSelector:
                      description: SubjectSelector is an optional label selector for
                        checked Kubernetes resources. For example, a policy result
                        may apply to all pods that match a label. Either a Subject
                        or a SubjectSelector can be specified. If neither are provided,
                        the result is assumed to be for the policy report scope.
                      properties:
                        matchExpressions:
                          description: matchExpressions is a list of label selector
                            requirements. The requirements are ANDed.
                          items:
                            description: A label selector requirement is a selector
                              that contains values, a key, and an operator that relates
                              the key and values.
                            properties:
                              key:
                                description: key is the label key that the selector
                                  applies to.
                                type: string
                              operator:
                                description: operator represents a key's relationship
                                  to a set of values. Valid operators are In, NotIn,
                                  Exists and DoesNotExist.
                                type: string
                              values:
                                description: values is an array of string values.
                                  If the operator is In or NotIn, the values array
                                  must be non-empty. If the operator is Exists or
                                  DoesNotExist, the values array must be empty. This
                                  array is replaced during a strategic merge patch.
                                items:
                                  type: string
                                type: array
                            required:
                            - key
                            - operator
                            type: object
                          type: array
                        matchLabels:
                          additionalProperties:
                            type: string
                          description: matchLabels is a map of {key,value} pairs.
                            A single {key,value} in the matchLabels map is equivalent
                            to an element of matchExpressions, whose key field is
                            "key", the operator is "In", and the values array contains
                            only "value". The requirements are ANDed.
                          type: object
                      type: object
                      x-kubernetes-map-type: atomic
                    resources:
                      description: Subjects is an optional reference to the checked
                        Kubernetes resources
                      items:
                        description: "ObjectReference contains enough information
                          to let you inspect or modify the referred object. --- New
                          uses of this type are discouraged because of difficulty
                          describing its usage when embedded in APIs. 1. Ignored fields.
                          \ It includes many fields which are not generally honored.
                          \ For instance, ResourceVersion and FieldPath are both very
                          rarely valid in actual usage. 2. Invalid usage help.  It
                          is impossible to add specific help for individual usage.
                          \ In most embedded usages, there are particular restrictions
                          like, \"must refer only to types A and B\" or \"UID not
                          honored\" or \"name must be restricted\". Those cannot be
                          well described when embedded. 3. Inconsistent validation.
                          \ Because the usages are different, the validation rules
                          are different by usage, which makes it hard for users to
                          predict what will happen. 4. The fields are both imprecise
                          and overly precise.  Kind is not a precise mapping to a
                          URL. This can produce ambiguity during interpretation and
                          require a REST mapping.  In most cases, the dependency is
                          on the group,resource tuple and the version of the actual
                          struct is irrelevant. 5. We cannot easily change it.  Because
                          this type is embedded in many locations, updates to this
                          type will affect numerous schemas.  Don't make new APIs
                          embed an underspecified API type they do not control. \n
                          Instead of using this type, create a locally provided and
                          used type that is well-focused on your reference. For example,
                          ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                          ."
                        properties:
                          apiVersion:
                            description: API version of the referent.
                            type: string
                          fieldPath:
                            description: 'If referring to a piece of an object instead
                              of an entire object, this string should contain a valid
                              JSON/Go field access statement, such as desiredState.manifest.containers[2].
                              For example, if the object reference is to a container
                              within a pod, this would take on a value like: "spec.containers{name}"
                              (where "name" refers to the name of the container that
                              triggered the event) or if no container name is specified
                              "spec.containers[2]" (container with index 2 in this
                              pod). This syntax is chosen only to have some well-defined
                              way of referencing a part of an object. TODO: this design
                              is not final and this field is subject to change in
                              the future.'
                            type: string
                          kind:
                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
                            type: string
                          name:
                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
                            type: string
                          namespace:
                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
                            type: string
                          resourceVersion:
                            description: 'Specific resourceVersion to which this reference
                              is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
                            type: string
                          uid:
                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                            type: string
                        type: object
                        x-kubernetes-map-type: atomic
                      type: array
                    result:
                      description: Result indicates the outcome of the policy rule
                        execution
                      enum:
                      - pass
                      - fail
                      - warn
                      - error
                      - skip
                      type: string
                    rule:
                      description: Rule is the name or identifier of the rule within
                        the policy
                      type: string
                    scored:
                      description: Scored indicates if this result is scored
                      type: boolean
                    severity:
                      description: Severity indicates policy check result criticality
                      enum:
                      - critical
                      - high
                      - low
                      - medium
                      - info
                      type: string
                    source:
                      description: Source is an identifier for the policy engine that
                        manages this report
                      type: string
                    timestamp:
                      description: Timestamp indicates the time the result was found
                      properties:
                        nanos:
                          description: Non-negative fractions of a second at nanosecond
                            resolution. Negative second values with fractions must
                            still have non-negative nanos values that count forward
                            in time. Must be from 0 to 999,999,999 inclusive. This
                            field may be limited in precision depending on context.
                          format: int32
                          type: integer
                        seconds:
                          description: Represents seconds of UTC time since Unix epoch
                            1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
                            to 9999-12-31T23:59:59Z inclusive.
                          format: int64
                          type: integer
                      required:
                      - nanos
                      - seconds
                      type: object
                  required:
                  - policy
                  type: object
                type: array
              summary:
                description: PolicyReportSummary provides a summary of results
                properties:
                  error:
                    description: Error provides the count of policies that could not
                      be evaluated
                    type: integer
                  fail:
                    description: Fail provides the count of policies whose requirements
                      were not met
                    type: integer
                  pass:
                    description: Pass provides the count of policies whose requirements
                      were met
                    type: integer
                  skip:
                    description: Skip indicates the count of policies that were not
                      selected for evaluation
                    type: integer
                  warn:
                    description: Warn provides the count of non-scored policies whose
                      requirements were not met
                    type: integer
                type: object
            required:
            - owner
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  annotations:
    controller-gen.kubebuilder.io/version: v0.12.0
  name: backgroundscanreports.kyverno.io
spec:
  group: kyverno.io
  names:
    categories:
    - kyverno
    kind: BackgroundScanReport
    listKind: BackgroundScanReportList
    plural: backgroundscanreports
    shortNames:
    - bgscanr
    singular: backgroundscanreport
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - jsonPath: .metadata.ownerReferences[0].apiVersion
      name: ApiVersion
      priority: 1
      type: string
    - jsonPath: .metadata.ownerReferences[0].kind
      name: Kind
      priority: 1
      type: string
    - jsonPath: .metadata.ownerReferences[0].name
      name: Subject
      priority: 1
      type: string
    - jsonPath: .spec.summary.pass
      name: Pass
      type: integer
    - jsonPath: .spec.summary.fail
      name: Fail
      type: integer
    - jsonPath: .spec.summary.warn
      name: Warn
      type: integer
    - jsonPath: .spec.summary.error
      name: Error
      type: integer
    - jsonPath: .spec.summary.skip
      name: Skip
      type: integer
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
      name: Hash
      priority: 1
      type: string
    name: v1alpha2
    schema:
      openAPIV3Schema:
        description: BackgroundScanReport is the Schema for the BackgroundScanReports
          API
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            properties:
              results:
                description: PolicyReportResult provides result details
                items:
                  description: PolicyReportResult provides the result for an individual
                    policy
                  properties:
                    category:
                      description: Category indicates policy category
                      type: string
                    message:
                      description: Description is a short user friendly message for
                        the policy rule
                      type: string
                    policy:
                      description: Policy is the name or identifier of the policy
                      type: string
                    properties:
                      additionalProperties:
                        type: string
                      description: Properties provides additional information for
                        the policy rule
                      type: object
                    resourceSelector:
                      description: SubjectSelector is an optional label selector for
                        checked Kubernetes resources. For example, a policy result
                        may apply to all pods that match a label. Either a Subject
                        or a SubjectSelector can be specified. If neither are provided,
                        the result is assumed to be for the policy report scope.
                      properties:
                        matchExpressions:
                          description: matchExpressions is a list of label selector
                            requirements. The requirements are ANDed.
                          items:
                            description: A label selector requirement is a selector
                              that contains values, a key, and an operator that relates
                              the key and values.
                            properties:
                              key:
                                description: key is the label key that the selector
                                  applies to.
                                type: string
                              operator:
                                description: operator represents a key's relationship
                                  to a set of values. Valid operators are In, NotIn,
                                  Exists and DoesNotExist.
                                type: string
                              values:
                                description: values is an array of string values.
                                  If the operator is In or NotIn, the values array
                                  must be non-empty. If the operator is Exists or
                                  DoesNotExist, the values array must be empty. This
                                  array is replaced during a strategic merge patch.
                                items:
                                  type: string
                                type: array
                            required:
                            - key
                            - operator
                            type: object
                          type: array
                        matchLabels:
                          additionalProperties:
                            type: string
                          description: matchLabels is a map of {key,value} pairs.
                            A single {key,value} in the matchLabels map is equivalent
                            to an element of matchExpressions, whose key field is
                            "key", the operator is "In", and the values array contains
                            only "value". The requirements are ANDed.
                          type: object
                      type: object
                      x-kubernetes-map-type: atomic
                    resources:
                      description: Subjects is an optional reference to the checked
                        Kubernetes resources
                      items:
                        description: "ObjectReference contains enough information
                          to let you inspect or modify the referred object. --- New
                          uses of this type are discouraged because of difficulty
                          describing its usage when embedded in APIs. 1. Ignored fields.
                          \ It includes many fields which are not generally honored.
                          \ For instance, ResourceVersion and FieldPath are both very
                          rarely valid in actual usage. 2. Invalid usage help.  It
                          is impossible to add specific help for individual usage.
                          \ In most embedded usages, there are particular restrictions
                          like, \"must refer only to types A and B\" or \"UID not
                          honored\" or \"name must be restricted\". Those cannot be
                          well described when embedded. 3. Inconsistent validation.
                          \ Because the usages are different, the validation rules
                          are different by usage, which makes it hard for users to
                          predict what will happen. 4. The fields are both imprecise
                          and overly precise.  Kind is not a precise mapping to a
                          URL. This can produce ambiguity during interpretation and
                          require a REST mapping.  In most cases, the dependency is
                          on the group,resource tuple and the version of the actual
                          struct is irrelevant. 5. We cannot easily change it.  Because
                          this type is embedded in many locations, updates to this
                          type will affect numerous schemas.  Don't make new APIs
                          embed an underspecified API type they do not control. \n
                          Instead of using this type, create a locally provided and
                          used type that is well-focused on your reference. For example,
                          ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                          ."
                        properties:
                          apiVersion:
                            description: API version of the referent.
                            type: string
                          fieldPath:
                            description: 'If referring to a piece of an object instead
                              of an entire object, this string should contain a valid
                              JSON/Go field access statement, such as desiredState.manifest.containers[2].
                              For example, if the object reference is to a container
                              within a pod, this would take on a value like: "spec.containers{name}"
                              (where "name" refers to the name of the container that
                              triggered the event) or if no container name is specified
                              "spec.containers[2]" (container with index 2 in this
                              pod). This syntax is chosen only to have some well-defined
                              way of referencing a part of an object. TODO: this design
                              is not final and this field is subject to change in
                              the future.'
                            type: string
                          kind:
                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
                            type: string
                          name:
                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
                            type: string
                          namespace:
                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
                            type: string
                          resourceVersion:
                            description: 'Specific resourceVersion to which this reference
                              is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
                            type: string
                          uid:
                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                            type: string
                        type: object
                        x-kubernetes-map-type: atomic
                      type: array
                    result:
                      description: Result indicates the outcome of the policy rule
                        execution
                      enum:
                      - pass
                      - fail
                      - warn
                      - error
                      - skip
                      type: string
                    rule:
                      description: Rule is the name or identifier of the rule within
                        the policy
                      type: string
                    scored:
                      description: Scored indicates if this result is scored
                      type: boolean
                    severity:
                      description: Severity indicates policy check result criticality
                      enum:
                      - critical
                      - high
                      - low
                      - medium
                      - info
                      type: string
                    source:
                      description: Source is an identifier for the policy engine that
                        manages this report
                      type: string
                    timestamp:
                      description: Timestamp indicates the time the result was found
                      properties:
                        nanos:
                          description: Non-negative fractions of a second at nanosecond
                            resolution. Negative second values with fractions must
                            still have non-negative nanos values that count forward
                            in time. Must be from 0 to 999,999,999 inclusive. This
                            field may be limited in precision depending on context.
                          format: int32
                          type: integer
                        seconds:
                          description: Represents seconds of UTC time since Unix epoch
                            1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
                            to 9999-12-31T23:59:59Z inclusive.
                          format: int64
                          type: integer
                      required:
                      - nanos
                      - seconds
                      type: object
                  required:
                  - policy
                  type: object
                type: array
              summary:
                description: PolicyReportSummary provides a summary of results
                properties:
                  error:
                    description: Error provides the count of policies that could not
                      be evaluated
                    type: integer
                  fail:
                    description: Fail provides the count of policies whose requirements
                      were not met
                    type: integer
                  pass:
                    description: Pass provides the count of policies whose requirements
                      were met
                    type: integer
                  skip:
                    description: Skip indicates the count of policies that were not
                      selected for evaluation
                    type: integer
                  warn:
                    description: Warn provides the count of non-scored policies whose
                      requirements were not met
                    type: integer
                type: object
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  annotations:
    controller-gen.kubebuilder.io/version: v0.12.0
  name: cleanuppolicies.kyverno.io
spec:
  group: kyverno.io
  names:
    categories:
    - kyverno
    kind: CleanupPolicy
    listKind: CleanupPolicyList
    plural: cleanuppolicies
    shortNames:
    - cleanpol
    singular: cleanuppolicy
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - jsonPath: .spec.schedule
      name: Schedule
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v2alpha1
    schema:
      openAPIV3Schema:
        description: CleanupPolicy defines a rule for resource cleanup.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: Spec declares policy behaviors.
            properties:
              conditions:
                description: Conditions defines the conditions used to select the
                  resources which will be cleaned up.
                properties:
                  all:
                    description: AllConditions enable variable-based conditional rule
                      execution. This is useful for finer control of when an rule
                      is applied. A condition can reference object data using JMESPath
                      notation. Here, all of the conditions need to pass.
                    items:
                      properties:
                        key:
                          description: Key is the context entry (using JMESPath) for
                            conditional rule evaluation.
                          x-kubernetes-preserve-unknown-fields: true
                        message:
                          description: Message is an optional display message
                          type: string
                        operator:
                          description: 'Operator is the conditional operation to perform.
                            Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
                            LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                            DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
                          enum:
                          - Equals
                          - NotEquals
                          - AnyIn
                          - AllIn
                          - AnyNotIn
                          - AllNotIn
                          - GreaterThanOrEquals
                          - GreaterThan
                          - LessThanOrEquals
                          - LessThan
                          - DurationGreaterThanOrEquals
                          - DurationGreaterThan
                          - DurationLessThanOrEquals
                          - DurationLessThan
                          type: string
                        value:
                          description: Value is the conditional value, or set of values.
                            The values can be fixed set or can be variables declared
                            using JMESPath.
                          x-kubernetes-preserve-unknown-fields: true
                      type: object
                    type: array
                  any:
                    description: AnyConditions enable variable-based conditional rule
                      execution. This is useful for finer control of when an rule
                      is applied. A condition can reference object data using JMESPath
                      notation. Here, at least one of the conditions need to pass.
                    items:
                      properties:
                        key:
                          description: Key is the context entry (using JMESPath) for
                            conditional rule evaluation.
                          x-kubernetes-preserve-unknown-fields: true
                        message:
                          description: Message is an optional display message
                          type: string
                        operator:
                          description: 'Operator is the conditional operation to perform.
                            Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
                            LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                            DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
                          enum:
                          - Equals
                          - NotEquals
                          - AnyIn
                          - AllIn
                          - AnyNotIn
                          - AllNotIn
                          - GreaterThanOrEquals
                          - GreaterThan
                          - LessThanOrEquals
                          - LessThan
                          - DurationGreaterThanOrEquals
                          - DurationGreaterThan
                          - DurationLessThanOrEquals
                          - DurationLessThan
                          type: string
                        value:
                          description: Value is the conditional value, or set of values.
                            The values can be fixed set or can be variables declared
                            using JMESPath.
                          x-kubernetes-preserve-unknown-fields: true
                      type: object
                    type: array
                type: object
              context:
                description: Context defines variables and data sources that can be
                  used during rule execution.
                items:
                  description: ContextEntry adds variables and data sources to a rule
                    Context. Either a ConfigMap reference or a APILookup must be provided.
                  properties:
                    apiCall:
                      description: APICall is an HTTP request to the Kubernetes API
                        server, or other JSON web service. The data returned is stored
                        in the context with the name for the context entry.
                      properties:
                        data:
                          description: Data specifies the POST data sent to the server.
                          items:
                            description: RequestData contains the HTTP POST data
                            properties:
                              key:
                                description: Key is a unique identifier for the data
                                  value
                                type: string
                              value:
                                description: Value is the data value
                                x-kubernetes-preserve-unknown-fields: true
                            required:
                            - key
                            - value
                            type: object
                          type: array
                        jmesPath:
                          description: JMESPath is an optional JSON Match Expression
                            that can be used to transform the JSON response returned
                            from the server. For example a JMESPath of "items | length(@)"
                            applied to the API server response for the URLPath "/apis/apps/v1/deployments"
                            will return the total count of deployments across all
                            namespaces.
                          type: string
                        method:
                          default: GET
                          description: Method is the HTTP request type (GET or POST).
                          enum:
                          - GET
                          - POST
                          type: string
                        service:
                          description: Service is an API call to a JSON web service
                          properties:
                            caBundle:
                              description: CABundle is a PEM encoded CA bundle which
                                will be used to validate the server certificate.
                              type: string
                            url:
                              description: URL is the JSON web service URL. A typical
                                form is `https://{service}.{namespace}:{port}/{path}`.
                              type: string
                          required:
                          - url
                          type: object
                        urlPath:
                          description: URLPath is the URL path to be used in the HTTP
                            GET or POST request to the Kubernetes API server (e.g.
                            "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                            The format required is the same format used by the `kubectl
                            get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                            for details.
                          type: string
                      type: object
                    configMap:
                      description: ConfigMap is the ConfigMap reference.
                      properties:
                        name:
                          description: Name is the ConfigMap name.
                          type: string
                        namespace:
                          description: Namespace is the ConfigMap namespace.
                          type: string
                      required:
                      - name
                      type: object
                    imageRegistry:
                      description: ImageRegistry defines requests to an OCI/Docker
                        V2 registry to fetch image details.
                      properties:
                        imageRegistryCredentials:
                          description: ImageRegistryCredentials provides credentials
                            that will be used for authentication with registry
                          properties:
                            allowInsecureRegistry:
                              description: AllowInsecureRegistry allows insecure access
                                to a registry
                              type: boolean
                            providers:
                              description: 'Providers specifies a list of OCI Registry
                                names, whose authentication providers are provided
                                It can be of one of these values: AWS, ACR, GCP, GHCR'
                              items:
                                description: ImageRegistryCredentialsProvidersType
                                  provides the list of credential providers required.
                                enum:
                                - default
                                - amazon
                                - azure
                                - google
                                - github
                                type: string
                              type: array
                            secrets:
                              description: Secrets specifies a list of secrets that
                                are provided for credentials Secrets must live in
                                the Kyverno namespace
                              items:
                                type: string
                              type: array
                          type: object
                        jmesPath:
                          description: JMESPath is an optional JSON Match Expression
                            that can be used to transform the ImageData struct returned
                            as a result of processing the image reference.
                          type: string
                        reference:
                          description: 'Reference is image reference to a container
                            image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
                          type: string
                      required:
                      - reference
                      type: object
                    name:
                      description: Name is the variable name.
                      type: string
                    variable:
                      description: Variable defines an arbitrary JMESPath context
                        variable that can be defined inline.
                      properties:
                        default:
                          description: Default is an optional arbitrary JSON object
                            that the variable may take if the JMESPath expression
                            evaluates to nil
                          x-kubernetes-preserve-unknown-fields: true
                        jmesPath:
                          description: JMESPath is an optional JMESPath Expression
                            that can be used to transform the variable.
                          type: string
                        value:
                          description: Value is any arbitrary JSON object representable
                            in YAML or JSON form.
                          x-kubernetes-preserve-unknown-fields: true
                      type: object
                  type: object
                type: array
              exclude:
                description: ExcludeResources defines when cleanuppolicy should not
                  be applied. The exclude criteria can include resource information
                  (e.g. kind, name, namespace, labels) and admission review request
                  information like the name or role.
                properties:
                  all:
                    description: All allows specifying resources which will be ANDed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: Annotations is a  map of annotations (key-value
                                pairs of type string). Annotation keys and values
                                support the wildcard characters "*" (matches zero
                                or many characters) and "?" (matches at least one
                                character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: 'Name is the name of the resource. The
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".'
                              type: string
                            names:
                              description: Names are the names of the resources. Each
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: 'NamespaceSelector is a label selector
                                for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*`
                                (matches zero or many characters) and `?` (matches
                                one character).Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: Namespaces is a list of namespaces names.
                                Each name supports wildcard characters "*" (matches
                                zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: 'Selector is a label selector. Label keys
                                and values in `matchLabels` support the wildcard characters
                                `*` (matches zero or many characters) and `?` (matches
                                one character). Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: Subject contains a reference to the object
                              or user identities a role binding applies to.  This
                              can either hold a direct API object reference, or a
                              value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: APIGroup holds the API group of the referenced
                                  subject. Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User
                                  and Group subjects.
                                type: string
                              kind:
                                description: Kind of object being referenced. Values
                                  defined by this API group are "User", "Group", and
                                  "ServiceAccount". If the Authorizer does not recognized
                                  the kind value, the Authorizer should report an
                                  error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: Namespace of the referenced object.  If
                                  the object kind is non-namespace, such as "User"
                                  or "Group", and this value is not empty the Authorizer
                                  should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                  any:
                    description: Any allows specifying resources which will be ORed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: Annotations is a  map of annotations (key-value
                                pairs of type string). Annotation keys and values
                                support the wildcard characters "*" (matches zero
                                or many characters) and "?" (matches at least one
                                character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: 'Name is the name of the resource. The
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".'
                              type: string
                            names:
                              description: Names are the names of the resources. Each
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: 'NamespaceSelector is a label selector
                                for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*`
                                (matches zero or many characters) and `?` (matches
                                one character).Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: Namespaces is a list of namespaces names.
                                Each name supports wildcard characters "*" (matches
                                zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: 'Selector is a label selector. Label keys
                                and values in `matchLabels` support the wildcard characters
                                `*` (matches zero or many characters) and `?` (matches
                                one character). Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: Subject contains a reference to the object
                              or user identities a role binding applies to.  This
                              can either hold a direct API object reference, or a
                              value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: APIGroup holds the API group of the referenced
                                  subject. Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User
                                  and Group subjects.
                                type: string
                              kind:
                                description: Kind of object being referenced. Values
                                  defined by this API group are "User", "Group", and
                                  "ServiceAccount". If the Authorizer does not recognized
                                  the kind value, the Authorizer should report an
                                  error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: Namespace of the referenced object.  If
                                  the object kind is non-namespace, such as "User"
                                  or "Group", and this value is not empty the Authorizer
                                  should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                type: object
              match:
                description: MatchResources defines when cleanuppolicy should be applied.
                  The match criteria can include resource information (e.g. kind,
                  name, namespace, labels) and admission review request information
                  like the user name or role. At least one kind is required.
                properties:
                  all:
                    description: All allows specifying resources which will be ANDed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: Annotations is a  map of annotations (key-value
                                pairs of type string). Annotation keys and values
                                support the wildcard characters "*" (matches zero
                                or many characters) and "?" (matches at least one
                                character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: 'Name is the name of the resource. The
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".'
                              type: string
                            names:
                              description: Names are the names of the resources. Each
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: 'NamespaceSelector is a label selector
                                for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*`
                                (matches zero or many characters) and `?` (matches
                                one character).Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: Namespaces is a list of namespaces names.
                                Each name supports wildcard characters "*" (matches
                                zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: 'Selector is a label selector. Label keys
                                and values in `matchLabels` support the wildcard characters
                                `*` (matches zero or many characters) and `?` (matches
                                one character). Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: Subject contains a reference to the object
                              or user identities a role binding applies to.  This
                              can either hold a direct API object reference, or a
                              value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: APIGroup holds the API group of the referenced
                                  subject. Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User
                                  and Group subjects.
                                type: string
                              kind:
                                description: Kind of object being referenced. Values
                                  defined by this API group are "User", "Group", and
                                  "ServiceAccount". If the Authorizer does not recognized
                                  the kind value, the Authorizer should report an
                                  error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: Namespace of the referenced object.  If
                                  the object kind is non-namespace, such as "User"
                                  or "Group", and this value is not empty the Authorizer
                                  should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                  any:
                    description: Any allows specifying resources which will be ORed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: Annotations is a  map of annotations (key-value
                                pairs of type string). Annotation keys and values
                                support the wildcard characters "*" (matches zero
                                or many characters) and "?" (matches at least one
                                character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: 'Name is the name of the resource. The
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".'
                              type: string
                            names:
                              description: Names are the names of the resources. Each
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: 'NamespaceSelector is a label selector
                                for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*`
                                (matches zero or many characters) and `?` (matches
                                one character).Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: Namespaces is a list of namespaces names.
                                Each name supports wildcard characters "*" (matches
                                zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: 'Selector is a label selector. Label keys
                                and values in `matchLabels` support the wildcard characters
                                `*` (matches zero or many characters) and `?` (matches
                                one character). Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: Subject contains a reference to the object
                              or user identities a role binding applies to.  This
                              can either hold a direct API object reference, or a
                              value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: APIGroup holds the API group of the referenced
                                  subject. Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User
                                  and Group subjects.
                                type: string
                              kind:
                                description: Kind of object being referenced. Values
                                  defined by this API group are "User", "Group", and
                                  "ServiceAccount". If the Authorizer does not recognized
                                  the kind value, the Authorizer should report an
                                  error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: Namespace of the referenced object.  If
                                  the object kind is non-namespace, such as "User"
                                  or "Group", and this value is not empty the Authorizer
                                  should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                type: object
              schedule:
                description: The schedule in Cron format
                type: string
            required:
            - schedule
            type: object
          status:
            description: Status contains policy runtime data.
            properties:
              conditions:
                items:
                  description: "Condition contains details for one aspect of the current
                    state of this API Resource. --- This struct is intended for direct
                    use as an array at the field path .status.conditions.  For example,
                    \n type FooStatus struct{ // Represents the observations of a
                    foo's current state. // Known .status.conditions.type are: \"Available\",
                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
                  properties:
                    lastTransitionTime:
                      description: lastTransitionTime is the last time the condition
                        transitioned from one status to another. This should be when
                        the underlying condition changed.  If that is not known, then
                        using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: message is a human readable message indicating
                        details about the transition. This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
                      description: observedGeneration represents the .metadata.generation
                        that the condition was set based upon. For instance, if .metadata.generation
                        is currently 12, but the .status.conditions[x].observedGeneration
                        is 9, the condition is out of date with respect to the current
                        state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
                      description: reason contains a programmatic identifier indicating
                        the reason for the condition's last transition. Producers
                        of specific condition types may define expected values and
                        meanings for this field, and whether the values are considered
                        a guaranteed API. The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
                      enum:
                      - "True"
                      - "False"
                      - Unknown
                      type: string
                    type:
                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
                        --- Many .condition.type values are consistent across resources
                        like Available, but because arbitrary conditions can be useful
                        (see .node.status.conditions), the ability to deconflict is
                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
                  required:
                  - lastTransitionTime
                  - message
                  - reason
                  - status
                  - type
                  type: object
                type: array
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  annotations:
    controller-gen.kubebuilder.io/version: v0.12.0
  name: clusteradmissionreports.kyverno.io
spec:
  group: kyverno.io
  names:
    categories:
    - kyverno
    kind: ClusterAdmissionReport
    listKind: ClusterAdmissionReportList
    plural: clusteradmissionreports
    shortNames:
    - cadmr
    singular: clusteradmissionreport
  scope: Cluster
  versions:
  - additionalPrinterColumns:
    - jsonPath: .metadata.creationTimestamp
      name: AGE
      type: date
    - jsonPath: .spec.summary.pass
      name: PASS
      type: integer
    - jsonPath: .spec.summary.fail
      name: FAIL
      type: integer
    - jsonPath: .spec.summary.warn
      name: WARN
      type: integer
    - jsonPath: .spec.summary.error
      name: ERROR
      type: integer
    - jsonPath: .spec.summary.skip
      name: SKIP
      type: integer
    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.gvr']
      name: GVR
      priority: 1
      type: string
    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.name']
      name: REF
      priority: 1
      type: string
    - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate']
      name: AGGREGATE
      priority: 1
      type: string
    name: v1alpha2
    schema:
      openAPIV3Schema:
        description: ClusterAdmissionReport is the Schema for the ClusterAdmissionReports
          API
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            properties:
              owner:
                description: Owner is a reference to the report owner (e.g. a Deployment,
                  Namespace, or Node)
                properties:
                  apiVersion:
                    description: API version of the referent.
                    type: string
                  blockOwnerDeletion:
                    description: If true, AND if the owner has the "foregroundDeletion"
                      finalizer, then the owner cannot be deleted from the key-value
                      store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
                      for how the garbage collector interacts with this field and
                      enforces the foreground deletion. Defaults to false. To set
                      this field, a user needs "delete" permission of the owner, otherwise
                      422 (Unprocessable Entity) will be returned.
                    type: boolean
                  controller:
                    description: If true, this reference points to the managing controller.
                    type: boolean
                  kind:
                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
                    type: string
                  name:
                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names'
                    type: string
                  uid:
                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids'
                    type: string
                required:
                - apiVersion
                - kind
                - name
                - uid
                type: object
                x-kubernetes-map-type: atomic
              results:
                description: PolicyReportResult provides result details
                items:
                  description: PolicyReportResult provides the result for an individual
                    policy
                  properties:
                    category:
                      description: Category indicates policy category
                      type: string
                    message:
                      description: Description is a short user friendly message for
                        the policy rule
                      type: string
                    policy:
                      description: Policy is the name or identifier of the policy
                      type: string
                    properties:
                      additionalProperties:
                        type: string
                      description: Properties provides additional information for
                        the policy rule
                      type: object
                    resourceSelector:
                      description: SubjectSelector is an optional label selector for
                        checked Kubernetes resources. For example, a policy result
                        may apply to all pods that match a label. Either a Subject
                        or a SubjectSelector can be specified. If neither are provided,
                        the result is assumed to be for the policy report scope.
                      properties:
                        matchExpressions:
                          description: matchExpressions is a list of label selector
                            requirements. The requirements are ANDed.
                          items:
                            description: A label selector requirement is a selector
                              that contains values, a key, and an operator that relates
                              the key and values.
                            properties:
                              key:
                                description: key is the label key that the selector
                                  applies to.
                                type: string
                              operator:
                                description: operator represents a key's relationship
                                  to a set of values. Valid operators are In, NotIn,
                                  Exists and DoesNotExist.
                                type: string
                              values:
                                description: values is an array of string values.
                                  If the operator is In or NotIn, the values array
                                  must be non-empty. If the operator is Exists or
                                  DoesNotExist, the values array must be empty. This
                                  array is replaced during a strategic merge patch.
                                items:
                                  type: string
                                type: array
                            required:
                            - key
                            - operator
                            type: object
                          type: array
                        matchLabels:
                          additionalProperties:
                            type: string
                          description: matchLabels is a map of {key,value} pairs.
                            A single {key,value} in the matchLabels map is equivalent
                            to an element of matchExpressions, whose key field is
                            "key", the operator is "In", and the values array contains
                            only "value". The requirements are ANDed.
                          type: object
                      type: object
                      x-kubernetes-map-type: atomic
                    resources:
                      description: Subjects is an optional reference to the checked
                        Kubernetes resources
                      items:
                        description: "ObjectReference contains enough information
                          to let you inspect or modify the referred object. --- New
                          uses of this type are discouraged because of difficulty
                          describing its usage when embedded in APIs. 1. Ignored fields.
                          \ It includes many fields which are not generally honored.
                          \ For instance, ResourceVersion and FieldPath are both very
                          rarely valid in actual usage. 2. Invalid usage help.  It
                          is impossible to add specific help for individual usage.
                          \ In most embedded usages, there are particular restrictions
                          like, \"must refer only to types A and B\" or \"UID not
                          honored\" or \"name must be restricted\". Those cannot be
                          well described when embedded. 3. Inconsistent validation.
                          \ Because the usages are different, the validation rules
                          are different by usage, which makes it hard for users to
                          predict what will happen. 4. The fields are both imprecise
                          and overly precise.  Kind is not a precise mapping to a
                          URL. This can produce ambiguity during interpretation and
                          require a REST mapping.  In most cases, the dependency is
                          on the group,resource tuple and the version of the actual
                          struct is irrelevant. 5. We cannot easily change it.  Because
                          this type is embedded in many locations, updates to this
                          type will affect numerous schemas.  Don't make new APIs
                          embed an underspecified API type they do not control. \n
                          Instead of using this type, create a locally provided and
                          used type that is well-focused on your reference. For example,
                          ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                          ."
                        properties:
                          apiVersion:
                            description: API version of the referent.
                            type: string
                          fieldPath:
                            description: 'If referring to a piece of an object instead
                              of an entire object, this string should contain a valid
                              JSON/Go field access statement, such as desiredState.manifest.containers[2].
                              For example, if the object reference is to a container
                              within a pod, this would take on a value like: "spec.containers{name}"
                              (where "name" refers to the name of the container that
                              triggered the event) or if no container name is specified
                              "spec.containers[2]" (container with index 2 in this
                              pod). This syntax is chosen only to have some well-defined
                              way of referencing a part of an object. TODO: this design
                              is not final and this field is subject to change in
                              the future.'
                            type: string
                          kind:
                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
                            type: string
                          name:
                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
                            type: string
                          namespace:
                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
                            type: string
                          resourceVersion:
                            description: 'Specific resourceVersion to which this reference
                              is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
                            type: string
                          uid:
                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                            type: string
                        type: object
                        x-kubernetes-map-type: atomic
                      type: array
                    result:
                      description: Result indicates the outcome of the policy rule
                        execution
                      enum:
                      - pass
                      - fail
                      - warn
                      - error
                      - skip
                      type: string
                    rule:
                      description: Rule is the name or identifier of the rule within
                        the policy
                      type: string
                    scored:
                      description: Scored indicates if this result is scored
                      type: boolean
                    severity:
                      description: Severity indicates policy check result criticality
                      enum:
                      - critical
                      - high
                      - low
                      - medium
                      - info
                      type: string
                    source:
                      description: Source is an identifier for the policy engine that
                        manages this report
                      type: string
                    timestamp:
                      description: Timestamp indicates the time the result was found
                      properties:
                        nanos:
                          description: Non-negative fractions of a second at nanosecond
                            resolution. Negative second values with fractions must
                            still have non-negative nanos values that count forward
                            in time. Must be from 0 to 999,999,999 inclusive. This
                            field may be limited in precision depending on context.
                          format: int32
                          type: integer
                        seconds:
                          description: Represents seconds of UTC time since Unix epoch
                            1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
                            to 9999-12-31T23:59:59Z inclusive.
                          format: int64
                          type: integer
                      required:
                      - nanos
                      - seconds
                      type: object
                  required:
                  - policy
                  type: object
                type: array
              summary:
                description: PolicyReportSummary provides a summary of results
                properties:
                  error:
                    description: Error provides the count of policies that could not
                      be evaluated
                    type: integer
                  fail:
                    description: Fail provides the count of policies whose requirements
                      were not met
                    type: integer
                  pass:
                    description: Pass provides the count of policies whose requirements
                      were met
                    type: integer
                  skip:
                    description: Skip indicates the count of policies that were not
                      selected for evaluation
                    type: integer
                  warn:
                    description: Warn provides the count of non-scored policies whose
                      requirements were not met
                    type: integer
                type: object
            required:
            - owner
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  annotations:
    controller-gen.kubebuilder.io/version: v0.12.0
  name: clusterbackgroundscanreports.kyverno.io
spec:
  group: kyverno.io
  names:
    categories:
    - kyverno
    kind: ClusterBackgroundScanReport
    listKind: ClusterBackgroundScanReportList
    plural: clusterbackgroundscanreports
    shortNames:
    - cbgscanr
    singular: clusterbackgroundscanreport
  scope: Cluster
  versions:
  - additionalPrinterColumns:
    - jsonPath: .metadata.ownerReferences[0].apiVersion
      name: ApiVersion
      priority: 1
      type: string
    - jsonPath: .metadata.ownerReferences[0].kind
      name: Kind
      priority: 1
      type: string
    - jsonPath: .metadata.ownerReferences[0].name
      name: Subject
      priority: 1
      type: string
    - jsonPath: .spec.summary.pass
      name: Pass
      type: integer
    - jsonPath: .spec.summary.fail
      name: Fail
      type: integer
    - jsonPath: .spec.summary.warn
      name: Warn
      type: integer
    - jsonPath: .spec.summary.error
      name: Error
      type: integer
    - jsonPath: .spec.summary.skip
      name: Skip
      type: integer
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
      name: Hash
      priority: 1
      type: string
    name: v1alpha2
    schema:
      openAPIV3Schema:
        description: ClusterBackgroundScanReport is the Schema for the ClusterBackgroundScanReports
          API
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            properties:
              results:
                description: PolicyReportResult provides result details
                items:
                  description: PolicyReportResult provides the result for an individual
                    policy
                  properties:
                    category:
                      description: Category indicates policy category
                      type: string
                    message:
                      description: Description is a short user friendly message for
                        the policy rule
                      type: string
                    policy:
                      description: Policy is the name or identifier of the policy
                      type: string
                    properties:
                      additionalProperties:
                        type: string
                      description: Properties provides additional information for
                        the policy rule
                      type: object
                    resourceSelector:
                      description: SubjectSelector is an optional label selector for
                        checked Kubernetes resources. For example, a policy result
                        may apply to all pods that match a label. Either a Subject
                        or a SubjectSelector can be specified. If neither are provided,
                        the result is assumed to be for the policy report scope.
                      properties:
                        matchExpressions:
                          description: matchExpressions is a list of label selector
                            requirements. The requirements are ANDed.
                          items:
                            description: A label selector requirement is a selector
                              that contains values, a key, and an operator that relates
                              the key and values.
                            properties:
                              key:
                                description: key is the label key that the selector
                                  applies to.
                                type: string
                              operator:
                                description: operator represents a key's relationship
                                  to a set of values. Valid operators are In, NotIn,
                                  Exists and DoesNotExist.
                                type: string
                              values:
                                description: values is an array of string values.
                                  If the operator is In or NotIn, the values array
                                  must be non-empty. If the operator is Exists or
                                  DoesNotExist, the values array must be empty. This
                                  array is replaced during a strategic merge patch.
                                items:
                                  type: string
                                type: array
                            required:
                            - key
                            - operator
                            type: object
                          type: array
                        matchLabels:
                          additionalProperties:
                            type: string
                          description: matchLabels is a map of {key,value} pairs.
                            A single {key,value} in the matchLabels map is equivalent
                            to an element of matchExpressions, whose key field is
                            "key", the operator is "In", and the values array contains
                            only "value". The requirements are ANDed.
                          type: object
                      type: object
                      x-kubernetes-map-type: atomic
                    resources:
                      description: Subjects is an optional reference to the checked
                        Kubernetes resources
                      items:
                        description: "ObjectReference contains enough information
                          to let you inspect or modify the referred object. --- New
                          uses of this type are discouraged because of difficulty
                          describing its usage when embedded in APIs. 1. Ignored fields.
                          \ It includes many fields which are not generally honored.
                          \ For instance, ResourceVersion and FieldPath are both very
                          rarely valid in actual usage. 2. Invalid usage help.  It
                          is impossible to add specific help for individual usage.
                          \ In most embedded usages, there are particular restrictions
                          like, \"must refer only to types A and B\" or \"UID not
                          honored\" or \"name must be restricted\". Those cannot be
                          well described when embedded. 3. Inconsistent validation.
                          \ Because the usages are different, the validation rules
                          are different by usage, which makes it hard for users to
                          predict what will happen. 4. The fields are both imprecise
                          and overly precise.  Kind is not a precise mapping to a
                          URL. This can produce ambiguity during interpretation and
                          require a REST mapping.  In most cases, the dependency is
                          on the group,resource tuple and the version of the actual
                          struct is irrelevant. 5. We cannot easily change it.  Because
                          this type is embedded in many locations, updates to this
                          type will affect numerous schemas.  Don't make new APIs
                          embed an underspecified API type they do not control. \n
                          Instead of using this type, create a locally provided and
                          used type that is well-focused on your reference. For example,
                          ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                          ."
                        properties:
                          apiVersion:
                            description: API version of the referent.
                            type: string
                          fieldPath:
                            description: 'If referring to a piece of an object instead
                              of an entire object, this string should contain a valid
                              JSON/Go field access statement, such as desiredState.manifest.containers[2].
                              For example, if the object reference is to a container
                              within a pod, this would take on a value like: "spec.containers{name}"
                              (where "name" refers to the name of the container that
                              triggered the event) or if no container name is specified
                              "spec.containers[2]" (container with index 2 in this
                              pod). This syntax is chosen only to have some well-defined
                              way of referencing a part of an object. TODO: this design
                              is not final and this field is subject to change in
                              the future.'
                            type: string
                          kind:
                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
                            type: string
                          name:
                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
                            type: string
                          namespace:
                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
                            type: string
                          resourceVersion:
                            description: 'Specific resourceVersion to which this reference
                              is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
                            type: string
                          uid:
                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                            type: string
                        type: object
                        x-kubernetes-map-type: atomic
                      type: array
                    result:
                      description: Result indicates the outcome of the policy rule
                        execution
                      enum:
                      - pass
                      - fail
                      - warn
                      - error
                      - skip
                      type: string
                    rule:
                      description: Rule is the name or identifier of the rule within
                        the policy
                      type: string
                    scored:
                      description: Scored indicates if this result is scored
                      type: boolean
                    severity:
                      description: Severity indicates policy check result criticality
                      enum:
                      - critical
                      - high
                      - low
                      - medium
                      - info
                      type: string
                    source:
                      description: Source is an identifier for the policy engine that
                        manages this report
                      type: string
                    timestamp:
                      description: Timestamp indicates the time the result was found
                      properties:
                        nanos:
                          description: Non-negative fractions of a second at nanosecond
                            resolution. Negative second values with fractions must
                            still have non-negative nanos values that count forward
                            in time. Must be from 0 to 999,999,999 inclusive. This
                            field may be limited in precision depending on context.
                          format: int32
                          type: integer
                        seconds:
                          description: Represents seconds of UTC time since Unix epoch
                            1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
                            to 9999-12-31T23:59:59Z inclusive.
                          format: int64
                          type: integer
                      required:
                      - nanos
                      - seconds
                      type: object
                  required:
                  - policy
                  type: object
                type: array
              summary:
                description: PolicyReportSummary provides a summary of results
                properties:
                  error:
                    description: Error provides the count of policies that could not
                      be evaluated
                    type: integer
                  fail:
                    description: Fail provides the count of policies whose requirements
                      were not met
                    type: integer
                  pass:
                    description: Pass provides the count of policies whose requirements
                      were met
                    type: integer
                  skip:
                    description: Skip indicates the count of policies that were not
                      selected for evaluation
                    type: integer
                  warn:
                    description: Warn provides the count of non-scored policies whose
                      requirements were not met
                    type: integer
                type: object
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  annotations:
    controller-gen.kubebuilder.io/version: v0.12.0
  name: clustercleanuppolicies.kyverno.io
spec:
  group: kyverno.io
  names:
    categories:
    - kyverno
    kind: ClusterCleanupPolicy
    listKind: ClusterCleanupPolicyList
    plural: clustercleanuppolicies
    shortNames:
    - ccleanpol
    singular: clustercleanuppolicy
  scope: Cluster
  versions:
  - additionalPrinterColumns:
    - jsonPath: .spec.schedule
      name: Schedule
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v2alpha1
    schema:
      openAPIV3Schema:
        description: ClusterCleanupPolicy defines rule for resource cleanup.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: Spec declares policy behaviors.
            properties:
              conditions:
                description: Conditions defines the conditions used to select the
                  resources which will be cleaned up.
                properties:
                  all:
                    description: AllConditions enable variable-based conditional rule
                      execution. This is useful for finer control of when an rule
                      is applied. A condition can reference object data using JMESPath
                      notation. Here, all of the conditions need to pass.
                    items:
                      properties:
                        key:
                          description: Key is the context entry (using JMESPath) for
                            conditional rule evaluation.
                          x-kubernetes-preserve-unknown-fields: true
                        message:
                          description: Message is an optional display message
                          type: string
                        operator:
                          description: 'Operator is the conditional operation to perform.
                            Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
                            LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                            DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
                          enum:
                          - Equals
                          - NotEquals
                          - AnyIn
                          - AllIn
                          - AnyNotIn
                          - AllNotIn
                          - GreaterThanOrEquals
                          - GreaterThan
                          - LessThanOrEquals
                          - LessThan
                          - DurationGreaterThanOrEquals
                          - DurationGreaterThan
                          - DurationLessThanOrEquals
                          - DurationLessThan
                          type: string
                        value:
                          description: Value is the conditional value, or set of values.
                            The values can be fixed set or can be variables declared
                            using JMESPath.
                          x-kubernetes-preserve-unknown-fields: true
                      type: object
                    type: array
                  any:
                    description: AnyConditions enable variable-based conditional rule
                      execution. This is useful for finer control of when an rule
                      is applied. A condition can reference object data using JMESPath
                      notation. Here, at least one of the conditions need to pass.
                    items:
                      properties:
                        key:
                          description: Key is the context entry (using JMESPath) for
                            conditional rule evaluation.
                          x-kubernetes-preserve-unknown-fields: true
                        message:
                          description: Message is an optional display message
                          type: string
                        operator:
                          description: 'Operator is the conditional operation to perform.
                            Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
                            LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                            DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
                          enum:
                          - Equals
                          - NotEquals
                          - AnyIn
                          - AllIn
                          - AnyNotIn
                          - AllNotIn
                          - GreaterThanOrEquals
                          - GreaterThan
                          - LessThanOrEquals
                          - LessThan
                          - DurationGreaterThanOrEquals
                          - DurationGreaterThan
                          - DurationLessThanOrEquals
                          - DurationLessThan
                          type: string
                        value:
                          description: Value is the conditional value, or set of values.
                            The values can be fixed set or can be variables declared
                            using JMESPath.
                          x-kubernetes-preserve-unknown-fields: true
                      type: object
                    type: array
                type: object
              context:
                description: Context defines variables and data sources that can be
                  used during rule execution.
                items:
                  description: ContextEntry adds variables and data sources to a rule
                    Context. Either a ConfigMap reference or a APILookup must be provided.
                  properties:
                    apiCall:
                      description: APICall is an HTTP request to the Kubernetes API
                        server, or other JSON web service. The data returned is stored
                        in the context with the name for the context entry.
                      properties:
                        data:
                          description: Data specifies the POST data sent to the server.
                          items:
                            description: RequestData contains the HTTP POST data
                            properties:
                              key:
                                description: Key is a unique identifier for the data
                                  value
                                type: string
                              value:
                                description: Value is the data value
                                x-kubernetes-preserve-unknown-fields: true
                            required:
                            - key
                            - value
                            type: object
                          type: array
                        jmesPath:
                          description: JMESPath is an optional JSON Match Expression
                            that can be used to transform the JSON response returned
                            from the server. For example a JMESPath of "items | length(@)"
                            applied to the API server response for the URLPath "/apis/apps/v1/deployments"
                            will return the total count of deployments across all
                            namespaces.
                          type: string
                        method:
                          default: GET
                          description: Method is the HTTP request type (GET or POST).
                          enum:
                          - GET
                          - POST
                          type: string
                        service:
                          description: Service is an API call to a JSON web service
                          properties:
                            caBundle:
                              description: CABundle is a PEM encoded CA bundle which
                                will be used to validate the server certificate.
                              type: string
                            url:
                              description: URL is the JSON web service URL. A typical
                                form is `https://{service}.{namespace}:{port}/{path}`.
                              type: string
                          required:
                          - url
                          type: object
                        urlPath:
                          description: URLPath is the URL path to be used in the HTTP
                            GET or POST request to the Kubernetes API server (e.g.
                            "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                            The format required is the same format used by the `kubectl
                            get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                            for details.
                          type: string
                      type: object
                    configMap:
                      description: ConfigMap is the ConfigMap reference.
                      properties:
                        name:
                          description: Name is the ConfigMap name.
                          type: string
                        namespace:
                          description: Namespace is the ConfigMap namespace.
                          type: string
                      required:
                      - name
                      type: object
                    imageRegistry:
                      description: ImageRegistry defines requests to an OCI/Docker
                        V2 registry to fetch image details.
                      properties:
                        imageRegistryCredentials:
                          description: ImageRegistryCredentials provides credentials
                            that will be used for authentication with registry
                          properties:
                            allowInsecureRegistry:
                              description: AllowInsecureRegistry allows insecure access
                                to a registry
                              type: boolean
                            providers:
                              description: 'Providers specifies a list of OCI Registry
                                names, whose authentication providers are provided
                                It can be of one of these values: AWS, ACR, GCP, GHCR'
                              items:
                                description: ImageRegistryCredentialsProvidersType
                                  provides the list of credential providers required.
                                enum:
                                - default
                                - amazon
                                - azure
                                - google
                                - github
                                type: string
                              type: array
                            secrets:
                              description: Secrets specifies a list of secrets that
                                are provided for credentials Secrets must live in
                                the Kyverno namespace
                              items:
                                type: string
                              type: array
                          type: object
                        jmesPath:
                          description: JMESPath is an optional JSON Match Expression
                            that can be used to transform the ImageData struct returned
                            as a result of processing the image reference.
                          type: string
                        reference:
                          description: 'Reference is image reference to a container
                            image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
                          type: string
                      required:
                      - reference
                      type: object
                    name:
                      description: Name is the variable name.
                      type: string
                    variable:
                      description: Variable defines an arbitrary JMESPath context
                        variable that can be defined inline.
                      properties:
                        default:
                          description: Default is an optional arbitrary JSON object
                            that the variable may take if the JMESPath expression
                            evaluates to nil
                          x-kubernetes-preserve-unknown-fields: true
                        jmesPath:
                          description: JMESPath is an optional JMESPath Expression
                            that can be used to transform the variable.
                          type: string
                        value:
                          description: Value is any arbitrary JSON object representable
                            in YAML or JSON form.
                          x-kubernetes-preserve-unknown-fields: true
                      type: object
                  type: object
                type: array
              exclude:
                description: ExcludeResources defines when cleanuppolicy should not
                  be applied. The exclude criteria can include resource information
                  (e.g. kind, name, namespace, labels) and admission review request
                  information like the name or role.
                properties:
                  all:
                    description: All allows specifying resources which will be ANDed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: Annotations is a  map of annotations (key-value
                                pairs of type string). Annotation keys and values
                                support the wildcard characters "*" (matches zero
                                or many characters) and "?" (matches at least one
                                character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: 'Name is the name of the resource. The
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".'
                              type: string
                            names:
                              description: Names are the names of the resources. Each
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: 'NamespaceSelector is a label selector
                                for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*`
                                (matches zero or many characters) and `?` (matches
                                one character).Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: Namespaces is a list of namespaces names.
                                Each name supports wildcard characters "*" (matches
                                zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: 'Selector is a label selector. Label keys
                                and values in `matchLabels` support the wildcard characters
                                `*` (matches zero or many characters) and `?` (matches
                                one character). Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: Subject contains a reference to the object
                              or user identities a role binding applies to.  This
                              can either hold a direct API object reference, or a
                              value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: APIGroup holds the API group of the referenced
                                  subject. Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User
                                  and Group subjects.
                                type: string
                              kind:
                                description: Kind of object being referenced. Values
                                  defined by this API group are "User", "Group", and
                                  "ServiceAccount". If the Authorizer does not recognized
                                  the kind value, the Authorizer should report an
                                  error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: Namespace of the referenced object.  If
                                  the object kind is non-namespace, such as "User"
                                  or "Group", and this value is not empty the Authorizer
                                  should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                  any:
                    description: Any allows specifying resources which will be ORed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: Annotations is a  map of annotations (key-value
                                pairs of type string). Annotation keys and values
                                support the wildcard characters "*" (matches zero
                                or many characters) and "?" (matches at least one
                                character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: 'Name is the name of the resource. The
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".'
                              type: string
                            names:
                              description: Names are the names of the resources. Each
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: 'NamespaceSelector is a label selector
                                for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*`
                                (matches zero or many characters) and `?` (matches
                                one character).Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: Namespaces is a list of namespaces names.
                                Each name supports wildcard characters "*" (matches
                                zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: 'Selector is a label selector. Label keys
                                and values in `matchLabels` support the wildcard characters
                                `*` (matches zero or many characters) and `?` (matches
                                one character). Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: Subject contains a reference to the object
                              or user identities a role binding applies to.  This
                              can either hold a direct API object reference, or a
                              value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: APIGroup holds the API group of the referenced
                                  subject. Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User
                                  and Group subjects.
                                type: string
                              kind:
                                description: Kind of object being referenced. Values
                                  defined by this API group are "User", "Group", and
                                  "ServiceAccount". If the Authorizer does not recognized
                                  the kind value, the Authorizer should report an
                                  error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: Namespace of the referenced object.  If
                                  the object kind is non-namespace, such as "User"
                                  or "Group", and this value is not empty the Authorizer
                                  should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                type: object
              match:
                description: MatchResources defines when cleanuppolicy should be applied.
                  The match criteria can include resource information (e.g. kind,
                  name, namespace, labels) and admission review request information
                  like the user name or role. At least one kind is required.
                properties:
                  all:
                    description: All allows specifying resources which will be ANDed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: Annotations is a  map of annotations (key-value
                                pairs of type string). Annotation keys and values
                                support the wildcard characters "*" (matches zero
                                or many characters) and "?" (matches at least one
                                character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: 'Name is the name of the resource. The
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".'
                              type: string
                            names:
                              description: Names are the names of the resources. Each
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: 'NamespaceSelector is a label selector
                                for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*`
                                (matches zero or many characters) and `?` (matches
                                one character).Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: Namespaces is a list of namespaces names.
                                Each name supports wildcard characters "*" (matches
                                zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: 'Selector is a label selector. Label keys
                                and values in `matchLabels` support the wildcard characters
                                `*` (matches zero or many characters) and `?` (matches
                                one character). Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: Subject contains a reference to the object
                              or user identities a role binding applies to.  This
                              can either hold a direct API object reference, or a
                              value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: APIGroup holds the API group of the referenced
                                  subject. Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User
                                  and Group subjects.
                                type: string
                              kind:
                                description: Kind of object being referenced. Values
                                  defined by this API group are "User", "Group", and
                                  "ServiceAccount". If the Authorizer does not recognized
                                  the kind value, the Authorizer should report an
                                  error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: Namespace of the referenced object.  If
                                  the object kind is non-namespace, such as "User"
                                  or "Group", and this value is not empty the Authorizer
                                  should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                  any:
                    description: Any allows specifying resources which will be ORed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: Annotations is a  map of annotations (key-value
                                pairs of type string). Annotation keys and values
                                support the wildcard characters "*" (matches zero
                                or many characters) and "?" (matches at least one
                                character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: 'Name is the name of the resource. The
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".'
                              type: string
                            names:
                              description: Names are the names of the resources. Each
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: 'NamespaceSelector is a label selector
                                for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*`
                                (matches zero or many characters) and `?` (matches
                                one character).Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: Namespaces is a list of namespaces names.
                                Each name supports wildcard characters "*" (matches
                                zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: 'Selector is a label selector. Label keys
                                and values in `matchLabels` support the wildcard characters
                                `*` (matches zero or many characters) and `?` (matches
                                one character). Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: Subject contains a reference to the object
                              or user identities a role binding applies to.  This
                              can either hold a direct API object reference, or a
                              value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: APIGroup holds the API group of the referenced
                                  subject. Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User
                                  and Group subjects.
                                type: string
                              kind:
                                description: Kind of object being referenced. Values
                                  defined by this API group are "User", "Group", and
                                  "ServiceAccount". If the Authorizer does not recognized
                                  the kind value, the Authorizer should report an
                                  error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: Namespace of the referenced object.  If
                                  the object kind is non-namespace, such as "User"
                                  or "Group", and this value is not empty the Authorizer
                                  should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                type: object
              schedule:
                description: The schedule in Cron format
                type: string
            required:
            - schedule
            type: object
          status:
            description: Status contains policy runtime data.
            properties:
              conditions:
                items:
                  description: "Condition contains details for one aspect of the current
                    state of this API Resource. --- This struct is intended for direct
                    use as an array at the field path .status.conditions.  For example,
                    \n type FooStatus struct{ // Represents the observations of a
                    foo's current state. // Known .status.conditions.type are: \"Available\",
                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
                  properties:
                    lastTransitionTime:
                      description: lastTransitionTime is the last time the condition
                        transitioned from one status to another. This should be when
                        the underlying condition changed.  If that is not known, then
                        using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: message is a human readable message indicating
                        details about the transition. This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
                      description: observedGeneration represents the .metadata.generation
                        that the condition was set based upon. For instance, if .metadata.generation
                        is currently 12, but the .status.conditions[x].observedGeneration
                        is 9, the condition is out of date with respect to the current
                        state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
                      description: reason contains a programmatic identifier indicating
                        the reason for the condition's last transition. Producers
                        of specific condition types may define expected values and
                        meanings for this field, and whether the values are considered
                        a guaranteed API. The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
                      enum:
                      - "True"
                      - "False"
                      - Unknown
                      type: string
                    type:
                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
                        --- Many .condition.type values are consistent across resources
                        like Available, but because arbitrary conditions can be useful
                        (see .node.status.conditions), the ability to deconflict is
                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
                  required:
                  - lastTransitionTime
                  - message
                  - reason
                  - status
                  - type
                  type: object
                type: array
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  annotations:
    controller-gen.kubebuilder.io/version: v0.12.0
  name: clusterpolicies.kyverno.io
spec:
  group: kyverno.io
  names:
    categories:
    - kyverno
    kind: ClusterPolicy
    listKind: ClusterPolicyList
    plural: clusterpolicies
    shortNames:
    - cpol
    singular: clusterpolicy
  scope: Cluster
  versions:
  - additionalPrinterColumns:
    - jsonPath: .spec.admission
      name: ADMISSION
      type: boolean
    - jsonPath: .spec.background
      name: BACKGROUND
      type: boolean
    - jsonPath: .spec.validationFailureAction
      name: VALIDATE ACTION
      type: string
    - jsonPath: .status.conditions[?(@.type == "Ready")].status
      name: READY
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: AGE
      type: date
    - jsonPath: .spec.failurePolicy
      name: FAILURE POLICY
      priority: 1
      type: string
    - jsonPath: .status.rulecount.validate
      name: VALIDATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.mutate
      name: MUTATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.generate
      name: GENERATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.verifyimages
      name: VERIFY IMAGES
      priority: 1
      type: integer
    - jsonPath: .status.conditions[?(@.type == "Ready")].message
      name: MESSAGE
      type: string
    name: v1
    schema:
      openAPIV3Schema:
        description: ClusterPolicy declares validation, mutation, and generation behaviors
          for matching resources.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: Spec declares policy behaviors.
            properties:
              admission:
                default: true
                description: Admission controls if rules are applied during admission.
                  Optional. Default value is "true".
                type: boolean
              applyRules:
                description: ApplyRules controls how rules in a policy are applied.
                  Rule are processed in the order of declaration. When set to `One`
                  processing stops after a rule has been applied i.e. the rule matches
                  and results in a pass, fail, or error. When set to `All` all rules
                  in the policy are processed. The default is `All`.
                enum:
                - All
                - One
                type: string
              background:
                default: true
                description: Background controls if rules are applied to existing
                  resources during a background scan. Optional. Default value is "true".
                  The value must be set to "false" if the policy rule uses variables
                  that are only available in the admission review request (e.g. user
                  name).
                type: boolean
              failurePolicy:
                description: FailurePolicy defines how unexpected policy errors and
                  webhook response timeout errors are handled. Rules within the same
                  policy share the same failure behavior. This field should not be
                  accessed directly, instead `GetFailurePolicy()` should be used.
                  Allowed values are Ignore or Fail. Defaults to Fail.
                enum:
                - Ignore
                - Fail
                type: string
              generateExisting:
                description: GenerateExisting controls whether to trigger generate
                  rule in existing resources If is set to "true" generate rule will
                  be triggered and applied to existing matched resources. Defaults
                  to "false" if not specified.
                type: boolean
              generateExistingOnPolicyUpdate:
                description: Deprecated, use generateExisting instead
                type: boolean
              mutateExistingOnPolicyUpdate:
                description: MutateExistingOnPolicyUpdate controls if a mutateExisting
                  policy is applied on policy events. Default value is "false".
                type: boolean
              rules:
                description: Rules is a list of Rule instances. A Policy contains
                  multiple rules and each rule can validate, mutate, or generate resources.
                items:
                  description: Rule defines a validation, mutation, or generation
                    control for matching resources. Each rules contains a match declaration
                    to select resources, and an optional exclude declaration to specify
                    which resources to exclude.
                  properties:
                    celPreconditions:
                      description: CELPreconditions are used to determine if a policy
                        rule should be applied by evaluating a set of CEL conditions.
                        It can only be used with the validate.cel subrule
                      items:
                        description: MatchCondition represents a condition which must
                          by fulfilled for a request to be sent to a webhook.
                        properties:
                          expression:
                            description: "Expression represents the expression which
                              will be evaluated by CEL. Must evaluate to bool. CEL
                              expressions have access to the contents of the AdmissionRequest
                              and Authorizer, organized into CEL variables: \n 'object'
                              - The object from the incoming request. The value is
                              null for DELETE requests. 'oldObject' - The existing
                              object. The value is null for CREATE requests. 'request'
                              - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
                              'authorizer' - A CEL Authorizer. May be used to perform
                              authorization checks for the principal (user or service
                              account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                              'authorizer.requestResource' - A CEL ResourceCheck constructed
                              from the 'authorizer' and configured with the request
                              resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
                              \n Required."
                            type: string
                          name:
                            description: "Name is an identifier for this match condition,
                              used for strategic merging of MatchConditions, as well
                              as providing an identifier for logging purposes. A good
                              name should be descriptive of the associated expression.
                              Name must be a qualified name consisting of alphanumeric
                              characters, '-', '_' or '.', and must start and end
                              with an alphanumeric character (e.g. 'MyName',  or 'my.name',
                              \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
                              with an optional DNS subdomain prefix and '/' (e.g.
                              'example.com/MyName') \n Required."
                            type: string
                        required:
                        - expression
                        - name
                        type: object
                      type: array
                    context:
                      description: Context defines variables and data sources that
                        can be used during rule execution.
                      items:
                        description: ContextEntry adds variables and data sources
                          to a rule Context. Either a ConfigMap reference or a APILookup
                          must be provided.
                        properties:
                          apiCall:
                            description: APICall is an HTTP request to the Kubernetes
                              API server, or other JSON web service. The data returned
                              is stored in the context with the name for the context
                              entry.
                            properties:
                              data:
                                description: Data specifies the POST data sent to
                                  the server.
                                items:
                                  description: RequestData contains the HTTP POST
                                    data
                                  properties:
                                    key:
                                      description: Key is a unique identifier for
                                        the data value
                                      type: string
                                    value:
                                      description: Value is the data value
                                      x-kubernetes-preserve-unknown-fields: true
                                  required:
                                  - key
                                  - value
                                  type: object
                                type: array
                              jmesPath:
                                description: JMESPath is an optional JSON Match Expression
                                  that can be used to transform the JSON response
                                  returned from the server. For example a JMESPath
                                  of "items | length(@)" applied to the API server
                                  response for the URLPath "/apis/apps/v1/deployments"
                                  will return the total count of deployments across
                                  all namespaces.
                                type: string
                              method:
                                default: GET
                                description: Method is the HTTP request type (GET
                                  or POST).
                                enum:
                                - GET
                                - POST
                                type: string
                              service:
                                description: Service is an API call to a JSON web
                                  service
                                properties:
                                  caBundle:
                                    description: CABundle is a PEM encoded CA bundle
                                      which will be used to validate the server certificate.
                                    type: string
                                  url:
                                    description: URL is the JSON web service URL.
                                      A typical form is `https://{service}.{namespace}:{port}/{path}`.
                                    type: string
                                required:
                                - url
                                type: object
                              urlPath:
                                description: URLPath is the URL path to be used in
                                  the HTTP GET or POST request to the Kubernetes API
                                  server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                  The format required is the same format used by the
                                  `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                  for details.
                                type: string
                            type: object
                          configMap:
                            description: ConfigMap is the ConfigMap reference.
                            properties:
                              name:
                                description: Name is the ConfigMap name.
                                type: string
                              namespace:
                                description: Namespace is the ConfigMap namespace.
                                type: string
                            required:
                            - name
                            type: object
                          imageRegistry:
                            description: ImageRegistry defines requests to an OCI/Docker
                              V2 registry to fetch image details.
                            properties:
                              imageRegistryCredentials:
                                description: ImageRegistryCredentials provides credentials
                                  that will be used for authentication with registry
                                properties:
                                  allowInsecureRegistry:
                                    description: AllowInsecureRegistry allows insecure
                                      access to a registry
                                    type: boolean
                                  providers:
                                    description: 'Providers specifies a list of OCI
                                      Registry names, whose authentication providers
                                      are provided It can be of one of these values:
                                      AWS, ACR, GCP, GHCR'
                                    items:
                                      description: ImageRegistryCredentialsProvidersType
                                        provides the list of credential providers
                                        required.
                                      enum:
                                      - default
                                      - amazon
                                      - azure
                                      - google
                                      - github
                                      type: string
                                    type: array
                                  secrets:
                                    description: Secrets specifies a list of secrets
                                      that are provided for credentials Secrets must
                                      live in the Kyverno namespace
                                    items:
                                      type: string
                                    type: array
                                type: object
                              jmesPath:
                                description: JMESPath is an optional JSON Match Expression
                                  that can be used to transform the ImageData struct
                                  returned as a result of processing the image reference.
                                type: string
                              reference:
                                description: 'Reference is image reference to a container
                                  image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
                                type: string
                            required:
                            - reference
                            type: object
                          name:
                            description: Name is the variable name.
                            type: string
                          variable:
                            description: Variable defines an arbitrary JMESPath context
                              variable that can be defined inline.
                            properties:
                              default:
                                description: Default is an optional arbitrary JSON
                                  object that the variable may take if the JMESPath
                                  expression evaluates to nil
                                x-kubernetes-preserve-unknown-fields: true
                              jmesPath:
                                description: JMESPath is an optional JMESPath Expression
                                  that can be used to transform the variable.
                                type: string
                              value:
                                description: Value is any arbitrary JSON object representable
                                  in YAML or JSON form.
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                        type: object
                      type: array
                    exclude:
                      description: ExcludeResources defines when this policy rule
                        should not be applied. The exclude criteria can include resource
                        information (e.g. kind, name, namespace, labels) and admission
                        review request information like the name or role.
                      properties:
                        all:
                          description: All allows specifying resources which will
                            be ANDed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: Annotations is a  map of annotations
                                      (key-value pairs of type string). Annotation
                                      keys and values support the wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: 'Name is the name of the resource.
                                      The name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character). NOTE: "Name" is being deprecated
                                      in favor of "Names".'
                                    type: string
                                  names:
                                    description: Names are the names of the resources.
                                      Each name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: 'NamespaceSelector is a label selector
                                      for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters
                                      `*` (matches zero or many characters) and `?`
                                      (matches one character).Wildcards allows writing
                                      label selectors like ["storage.k8s.io/*": "*"].
                                      Note that using ["*" : "*"] matches any key
                                      and value but does not match an empty label
                                      set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: Namespaces is a list of namespaces
                                      names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: 'Selector is a label selector. Label
                                      keys and values in `matchLabels` support the
                                      wildcard characters `*` (matches zero or many
                                      characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
                                      : "*"] matches any key and value but does not
                                      match an empty label set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: Subject contains a reference to the
                                    object or user identities a role binding applies
                                    to.  This can either hold a direct API object
                                    reference, or a value for non-objects such as
                                    user and group names.
                                  properties:
                                    apiGroup:
                                      description: APIGroup holds the API group of
                                        the referenced subject. Defaults to "" for
                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
                                        for User and Group subjects.
                                      type: string
                                    kind:
                                      description: Kind of object being referenced.
                                        Values defined by this API group are "User",
                                        "Group", and "ServiceAccount". If the Authorizer
                                        does not recognized the kind value, the Authorizer
                                        should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: Namespace of the referenced object.  If
                                        the object kind is non-namespace, such as
                                        "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        any:
                          description: Any allows specifying resources which will
                            be ORed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: Annotations is a  map of annotations
                                      (key-value pairs of type string). Annotation
                                      keys and values support the wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: 'Name is the name of the resource.
                                      The name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character). NOTE: "Name" is being deprecated
                                      in favor of "Names".'
                                    type: string
                                  names:
                                    description: Names are the names of the resources.
                                      Each name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: 'NamespaceSelector is a label selector
                                      for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters
                                      `*` (matches zero or many characters) and `?`
                                      (matches one character).Wildcards allows writing
                                      label selectors like ["storage.k8s.io/*": "*"].
                                      Note that using ["*" : "*"] matches any key
                                      and value but does not match an empty label
                                      set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: Namespaces is a list of namespaces
                                      names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: 'Selector is a label selector. Label
                                      keys and values in `matchLabels` support the
                                      wildcard characters `*` (matches zero or many
                                      characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
                                      : "*"] matches any key and value but does not
                                      match an empty label set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: Subject contains a reference to the
                                    object or user identities a role binding applies
                                    to.  This can either hold a direct API object
                                    reference, or a value for non-objects such as
                                    user and group names.
                                  properties:
                                    apiGroup:
                                      description: APIGroup holds the API group of
                                        the referenced subject. Defaults to "" for
                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
                                        for User and Group subjects.
                                      type: string
                                    kind:
                                      description: Kind of object being referenced.
                                        Values defined by this API group are "User",
                                        "Group", and "ServiceAccount". If the Authorizer
                                        does not recognized the kind value, the Authorizer
                                        should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: Namespace of the referenced object.  If
                                        the object kind is non-namespace, such as
                                        "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified. Requires at least
                            one tag to be specified when under MatchResources. Specifying
                            ResourceDescription directly under match is being deprecated.
                            Please specify under "any" or "all" instead.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: Annotations is a  map of annotations (key-value
                                pairs of type string). Annotation keys and values
                                support the wildcard characters "*" (matches zero
                                or many characters) and "?" (matches at least one
                                character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: 'Name is the name of the resource. The
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".'
                              type: string
                            names:
                              description: Names are the names of the resources. Each
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: 'NamespaceSelector is a label selector
                                for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*`
                                (matches zero or many characters) and `?` (matches
                                one character).Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: Namespaces is a list of namespaces names.
                                Each name supports wildcard characters "*" (matches
                                zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: 'Selector is a label selector. Label keys
                                and values in `matchLabels` support the wildcard characters
                                `*` (matches zero or many characters) and `?` (matches
                                one character). Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: Subject contains a reference to the object
                              or user identities a role binding applies to.  This
                              can either hold a direct API object reference, or a
                              value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: APIGroup holds the API group of the referenced
                                  subject. Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User
                                  and Group subjects.
                                type: string
                              kind:
                                description: Kind of object being referenced. Values
                                  defined by this API group are "User", "Group", and
                                  "ServiceAccount". If the Authorizer does not recognized
                                  the kind value, the Authorizer should report an
                                  error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: Namespace of the referenced object.  If
                                  the object kind is non-namespace, such as "User"
                                  or "Group", and this value is not empty the Authorizer
                                  should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    generate:
                      description: Generation is used to create new resources.
                      properties:
                        apiVersion:
                          description: APIVersion specifies resource apiVersion.
                          type: string
                        clone:
                          description: Clone specifies the source resource used to
                            populate each generated resource. At most one of Data
                            or Clone can be specified. If neither are provided, the
                            generated resource will be created with default data only.
                          properties:
                            name:
                              description: Name specifies name of the resource.
                              type: string
                            namespace:
                              description: Namespace specifies source resource namespace.
                              type: string
                          type: object
                        cloneList:
                          description: CloneList specifies the list of source resource
                            used to populate each generated resource.
                          properties:
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            namespace:
                              description: Namespace specifies source resource namespace.
                              type: string
                            selector:
                              description: Selector is a label selector. Label keys
                                and values in `matchLabels`. wildcard characters are
                                not supported.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        data:
                          description: Data provides the resource declaration used
                            to populate each generated resource. At most one of Data
                            or Clone must be specified. If neither are provided, the
                            generated resource will be created with default data only.
                          x-kubernetes-preserve-unknown-fields: true
                        kind:
                          description: Kind specifies resource kind.
                          type: string
                        name:
                          description: Name specifies the resource name.
                          type: string
                        namespace:
                          description: Namespace specifies resource namespace.
                          type: string
                        synchronize:
                          description: Synchronize controls if generated resources
                            should be kept in-sync with their source resource. If
                            Synchronize is set to "true" changes to generated resources
                            will be overwritten with resource data from Data or the
                            resource specified in the Clone declaration. Optional.
                            Defaults to "false" if not specified.
                          type: boolean
                      type: object
                    imageExtractors:
                      additionalProperties:
                        items:
                          properties:
                            jmesPath:
                              description: 'JMESPath is an optional JMESPath expression
                                to apply to the image value. This is useful when the
                                extracted image begins with a prefix like ''docker://''.
                                The ''trim_prefix'' function may be used to trim the
                                prefix: trim_prefix(@, ''docker://''). Note - Image
                                digest mutation may not be used when applying a JMESPAth
                                to an image.'
                              type: string
                            key:
                              description: Key is an optional name of the field within
                                'path' that will be used to uniquely identify an image.
                                Note - this field MUST be unique.
                              type: string
                            name:
                              description: Name is the entry the image will be available
                                under 'images.<name>' in the context. If this field
                                is not defined, image entries will appear under 'images.custom'.
                              type: string
                            path:
                              description: Path is the path to the object containing
                                the image field in a custom resource. It should be
                                slash-separated. Each slash-separated key must be
                                a valid YAML key or a wildcard '*'. Wildcard keys
                                are expanded in case of arrays or objects.
                              type: string
                            value:
                              description: Value is an optional name of the field
                                within 'path' that points to the image URI. This is
                                useful when a custom 'key' is also defined.
                              type: string
                          required:
                          - path
                          type: object
                        type: array
                      description: ImageExtractors defines a mapping from kinds to
                        ImageExtractorConfigs. This config is only valid for verifyImages
                        rules.
                      type: object
                    match:
                      description: MatchResources defines when this policy rule should
                        be applied. The match criteria can include resource information
                        (e.g. kind, name, namespace, labels) and admission review
                        request information like the user name or role. At least one
                        kind is required.
                      properties:
                        all:
                          description: All allows specifying resources which will
                            be ANDed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: Annotations is a  map of annotations
                                      (key-value pairs of type string). Annotation
                                      keys and values support the wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: 'Name is the name of the resource.
                                      The name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character). NOTE: "Name" is being deprecated
                                      in favor of "Names".'
                                    type: string
                                  names:
                                    description: Names are the names of the resources.
                                      Each name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: 'NamespaceSelector is a label selector
                                      for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters
                                      `*` (matches zero or many characters) and `?`
                                      (matches one character).Wildcards allows writing
                                      label selectors like ["storage.k8s.io/*": "*"].
                                      Note that using ["*" : "*"] matches any key
                                      and value but does not match an empty label
                                      set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: Namespaces is a list of namespaces
                                      names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: 'Selector is a label selector. Label
                                      keys and values in `matchLabels` support the
                                      wildcard characters `*` (matches zero or many
                                      characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
                                      : "*"] matches any key and value but does not
                                      match an empty label set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: Subject contains a reference to the
                                    object or user identities a role binding applies
                                    to.  This can either hold a direct API object
                                    reference, or a value for non-objects such as
                                    user and group names.
                                  properties:
                                    apiGroup:
                                      description: APIGroup holds the API group of
                                        the referenced subject. Defaults to "" for
                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
                                        for User and Group subjects.
                                      type: string
                                    kind:
                                      description: Kind of object being referenced.
                                        Values defined by this API group are "User",
                                        "Group", and "ServiceAccount". If the Authorizer
                                        does not recognized the kind value, the Authorizer
                                        should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: Namespace of the referenced object.  If
                                        the object kind is non-namespace, such as
                                        "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        any:
                          description: Any allows specifying resources which will
                            be ORed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: Annotations is a  map of annotations
                                      (key-value pairs of type string). Annotation
                                      keys and values support the wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: 'Name is the name of the resource.
                                      The name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character). NOTE: "Name" is being deprecated
                                      in favor of "Names".'
                                    type: string
                                  names:
                                    description: Names are the names of the resources.
                                      Each name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: 'NamespaceSelector is a label selector
                                      for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters
                                      `*` (matches zero or many characters) and `?`
                                      (matches one character).Wildcards allows writing
                                      label selectors like ["storage.k8s.io/*": "*"].
                                      Note that using ["*" : "*"] matches any key
                                      and value but does not match an empty label
                                      set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: Namespaces is a list of namespaces
                                      names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: 'Selector is a label selector. Label
                                      keys and values in `matchLabels` support the
                                      wildcard characters `*` (matches zero or many
                                      characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
                                      : "*"] matches any key and value but does not
                                      match an empty label set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: Subject contains a reference to the
                                    object or user identities a role binding applies
                                    to.  This can either hold a direct API object
                                    reference, or a value for non-objects such as
                                    user and group names.
                                  properties:
                                    apiGroup:
                                      description: APIGroup holds the API group of
                                        the referenced subject. Defaults to "" for
                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
                                        for User and Group subjects.
                                      type: string
                                    kind:
                                      description: Kind of object being referenced.
                                        Values defined by this API group are "User",
                                        "Group", and "ServiceAccount". If the Authorizer
                                        does not recognized the kind value, the Authorizer
                                        should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: Namespace of the referenced object.  If
                                        the object kind is non-namespace, such as
                                        "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified. Requires at least
                            one tag to be specified when under MatchResources. Specifying
                            ResourceDescription directly under match is being deprecated.
                            Please specify under "any" or "all" instead.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: Annotations is a  map of annotations (key-value
                                pairs of type string). Annotation keys and values
                                support the wildcard characters "*" (matches zero
                                or many characters) and "?" (matches at least one
                                character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: 'Name is the name of the resource. The
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".'
                              type: string
                            names:
                              description: Names are the names of the resources. Each
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: 'NamespaceSelector is a label selector
                                for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*`
                                (matches zero or many characters) and `?` (matches
                                one character).Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: Namespaces is a list of namespaces names.
                                Each name supports wildcard characters "*" (matches
                                zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: 'Selector is a label selector. Label keys
                                and values in `matchLabels` support the wildcard characters
                                `*` (matches zero or many characters) and `?` (matches
                                one character). Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: Subject contains a reference to the object
                              or user identities a role binding applies to.  This
                              can either hold a direct API object reference, or a
                              value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: APIGroup holds the API group of the referenced
                                  subject. Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User
                                  and Group subjects.
                                type: string
                              kind:
                                description: Kind of object being referenced. Values
                                  defined by this API group are "User", "Group", and
                                  "ServiceAccount". If the Authorizer does not recognized
                                  the kind value, the Authorizer should report an
                                  error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: Namespace of the referenced object.  If
                                  the object kind is non-namespace, such as "User"
                                  or "Group", and this value is not empty the Authorizer
                                  should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    mutate:
                      description: Mutation is used to modify matching resources.
                      properties:
                        foreach:
                          description: ForEach applies mutation rules to a list of
                            sub-elements by creating a context for each entry in the
                            list and looping over it to apply the specified logic.
                          items:
                            description: ForEachMutation applies mutation rules to
                              a list of sub-elements by creating a context for each
                              entry in the list and looping over it to apply the specified
                              logic.
                            properties:
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: ContextEntry adds variables and data
                                    sources to a rule Context. Either a ConfigMap
                                    reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: APICall is an HTTP request to the
                                        Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context
                                        with the name for the context entry.
                                      properties:
                                        data:
                                          description: Data specifies the POST data
                                            sent to the server.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the JSON response returned from the server.
                                            For example a JMESPath of "items | length(@)"
                                            applied to the API server response for
                                            the URLPath "/apis/apps/v1/deployments"
                                            will return the total count of deployments
                                            across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST).
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: Service is an API call to a
                                            JSON web service
                                          properties:
                                            caBundle:
                                              description: CABundle is a PEM encoded
                                                CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: URL is the JSON web service
                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: URLPath is the URL path to
                                            be used in the HTTP GET or POST request
                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
                                            or  "/apis/apps/v1/deployments"). The
                                            format required is the same format used
                                            by the `kubectl get --raw` command. See
                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    imageRegistry:
                                      description: ImageRegistry defines requests
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry
                                              type: boolean
                                            providers:
                                              description: 'Providers specifies a
                                                list of OCI Registry names, whose
                                                authentication providers are provided
                                                It can be of one of these values:
                                                AWS, ACR, GCP, GHCR'
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: Secrets specifies a list
                                                of secrets that are provided for credentials
                                                Secrets must live in the Kyverno namespace
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the ImageData struct returned as a result
                                            of processing the image reference.
                                          type: string
                                        reference:
                                          description: 'Reference is image reference
                                            to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest'
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: Default is an optional arbitrary
                                            JSON object that the variable may take
                                            if the JMESPath expression evaluates to
                                            nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: JMESPath is an optional JMESPath
                                            Expression that can be used to transform
                                            the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              foreach:
                                description: Foreach declares a nested foreach iterator
                                x-kubernetes-preserve-unknown-fields: true
                              list:
                                description: List specifies a JMESPath expression
                                  that results in one or more elements to which the
                                  validation logic is applied.
                                type: string
                              order:
                                description: Order defines the iteration order on
                                  the list. Can be Ascending to iterate from first
                                  to last element or Descending to iterate in from
                                  last to first element.
                                enum:
                                - Ascending
                                - Descending
                                type: string
                              patchStrategicMerge:
                                description: PatchStrategicMerge is a strategic merge
                                  patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                  and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                                x-kubernetes-preserve-unknown-fields: true
                              patchesJson6902:
                                description: PatchesJSON6902 is a list of RFC 6902
                                  JSON Patch declarations used to modify resources.
                                  See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                                type: string
                              preconditions:
                                description: 'AnyAllConditions are used to determine
                                  if a policy rule should be applied by evaluating
                                  a set of conditions. The declaration can contain
                                  nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
                                properties:
                                  all:
                                    description: AllConditions enable variable-based
                                      conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A
                                      condition can reference object data using JMESPath
                                      notation. Here, all of the conditions need to
                                      pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: 'Operator is the conditional
                                            operation to perform. Valid operators
                                            are: Equals, NotEquals, In, AnyIn, AllIn,
                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan,
                                            DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan'
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: Value is the conditional value,
                                            or set of values. The values can be fixed
                                            set or can be variables declared using
                                            JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                  any:
                                    description: AnyConditions enable variable-based
                                      conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A
                                      condition can reference object data using JMESPath
                                      notation. Here, at least one of the conditions
                                      need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: 'Operator is the conditional
                                            operation to perform. Valid operators
                                            are: Equals, NotEquals, In, AnyIn, AllIn,
                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan,
                                            DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan'
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: Value is the conditional value,
                                            or set of values. The values can be fixed
                                            set or can be variables declared using
                                            JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                type: object
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                        patchStrategicMerge:
                          description: PatchStrategicMerge is a strategic merge patch
                            used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                          x-kubernetes-preserve-unknown-fields: true
                        patchesJson6902:
                          description: PatchesJSON6902 is a list of RFC 6902 JSON
                            Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                          type: string
                        targets:
                          description: Targets defines the target resources to be
                            mutated.
                          items:
                            description: TargetResourceSpec defines targets for mutating
                              existing resources.
                            properties:
                              apiVersion:
                                description: APIVersion specifies resource apiVersion.
                                type: string
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: ContextEntry adds variables and data
                                    sources to a rule Context. Either a ConfigMap
                                    reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: APICall is an HTTP request to the
                                        Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context
                                        with the name for the context entry.
                                      properties:
                                        data:
                                          description: Data specifies the POST data
                                            sent to the server.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the JSON response returned from the server.
                                            For example a JMESPath of "items | length(@)"
                                            applied to the API server response for
                                            the URLPath "/apis/apps/v1/deployments"
                                            will return the total count of deployments
                                            across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST).
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: Service is an API call to a
                                            JSON web service
                                          properties:
                                            caBundle:
                                              description: CABundle is a PEM encoded
                                                CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: URL is the JSON web service
                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: URLPath is the URL path to
                                            be used in the HTTP GET or POST request
                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
                                            or  "/apis/apps/v1/deployments"). The
                                            format required is the same format used
                                            by the `kubectl get --raw` command. See
                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    imageRegistry:
                                      description: ImageRegistry defines requests
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry
                                              type: boolean
                                            providers:
                                              description: 'Providers specifies a
                                                list of OCI Registry names, whose
                                                authentication providers are provided
                                                It can be of one of these values:
                                                AWS, ACR, GCP, GHCR'
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: Secrets specifies a list
                                                of secrets that are provided for credentials
                                                Secrets must live in the Kyverno namespace
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the ImageData struct returned as a result
                                            of processing the image reference.
                                          type: string
                                        reference:
                                          description: 'Reference is image reference
                                            to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest'
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: Default is an optional arbitrary
                                            JSON object that the variable may take
                                            if the JMESPath expression evaluates to
                                            nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: JMESPath is an optional JMESPath
                                            Expression that can be used to transform
                                            the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              kind:
                                description: Kind specifies resource kind.
                                type: string
                              name:
                                description: Name specifies the resource name.
                                type: string
                              namespace:
                                description: Namespace specifies resource namespace.
                                type: string
                              preconditions:
                                description: 'Preconditions are used to determine
                                  if a policy rule should be applied by evaluating
                                  a set of conditions. The declaration can contain
                                  nested `any` or `all` statements. A direct list
                                  of conditions (without `any` or `all` statements
                                  is supported for backwards compatibility but will
                                  be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                      type: object
                    name:
                      description: Name is a label to identify the rule, It must be
                        unique within the policy.
                      maxLength: 63
                      type: string
                    preconditions:
                      description: 'Preconditions are used to determine if a policy
                        rule should be applied by evaluating a set of conditions.
                        The declaration can contain nested `any` or `all` statements.
                        A direct list of conditions (without `any` or `all` statements
                        is supported for backwards compatibility but will be deprecated
                        in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
                      x-kubernetes-preserve-unknown-fields: true
                    validate:
                      description: Validation is used to validate matching resources.
                      properties:
                        anyPattern:
                          description: AnyPattern specifies list of validation patterns.
                            At least one of the patterns must be satisfied for the
                            validation rule to succeed.
                          x-kubernetes-preserve-unknown-fields: true
                        cel:
                          description: CEL allows validation checks using the Common
                            Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
                          properties:
                            auditAnnotations:
                              description: AuditAnnotations contains CEL expressions
                                which are used to produce audit annotations for the
                                audit event of the API request.
                              items:
                                description: AuditAnnotation describes how to produce
                                  an audit annotation for an API request.
                                properties:
                                  key:
                                    description: "key specifies the audit annotation
                                      key. The audit annotation keys of a ValidatingAdmissionPolicy
                                      must be unique. The key must be a qualified
                                      name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than
                                      63 bytes in length. \n The key is combined with
                                      the resource name of the ValidatingAdmissionPolicy
                                      to construct an audit annotation key: \"{ValidatingAdmissionPolicy
                                      name}/{key}\". \n If an admission webhook uses
                                      the same resource name as this ValidatingAdmissionPolicy
                                      and the same audit annotation key, the annotation
                                      key will be identical. In this case, the first
                                      annotation written with the key will be included
                                      in the audit event and all subsequent annotations
                                      with the same key will be discarded. \n Required."
                                    type: string
                                  valueExpression:
                                    description: "valueExpression represents the expression
                                      which is evaluated by CEL to produce an audit
                                      annotation value. The expression must evaluate
                                      to either a string or null value. If the expression
                                      evaluates to a string, the audit annotation
                                      is included with the string value. If the expression
                                      evaluates to null or empty string the audit
                                      annotation will be omitted. The valueExpression
                                      may be no longer than 5kb in length. If the
                                      result of the valueExpression is more than 10kb
                                      in length, it will be truncated to 10kb. \n
                                      If multiple ValidatingAdmissionPolicyBinding
                                      resources match an API request, then the valueExpression
                                      will be evaluated for each binding. All unique
                                      values produced by the valueExpressions will
                                      be joined together in a comma-separated list.
                                      \n Required."
                                    type: string
                                required:
                                - key
                                - valueExpression
                                type: object
                              type: array
                            expressions:
                              description: Expressions is a list of CELExpression
                                types.
                              items:
                                description: Validation specifies the CEL expression
                                  which is used to apply the validation.
                                properties:
                                  expression:
                                    description: "Expression represents the expression
                                      which will be evaluated by CEL. ref: https://github.com/google/cel-spec
                                      CEL expressions have access to the contents
                                      of the API request/response, organized into
                                      CEL variables as well as some other useful variables:
                                      \n - 'object' - The object from the incoming
                                      request. The value is null for DELETE requests.
                                      - 'oldObject' - The existing object. The value
                                      is null for CREATE requests. - 'request' - Attributes
                                      of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
                                      - 'params' - Parameter resource referred to
                                      by the policy binding being evaluated. Only
                                      populated if the policy has a ParamKind. - 'authorizer'
                                      - A CEL Authorizer. May be used to perform authorization
                                      checks for the principal (user or service account)
                                      of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                                      - 'authorizer.requestResource' - A CEL ResourceCheck
                                      constructed from the 'authorizer' and configured
                                      with the request resource. \n The `apiVersion`,
                                      `kind`, `metadata.name` and `metadata.generateName`
                                      are always accessible from the root of the object.
                                      No other metadata properties are accessible.
                                      \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
                                      are accessible. Accessible property names are
                                      escaped according to the following rules when
                                      accessed in the expression: - '__' escapes to
                                      '__underscores__' - '.' escapes to '__dot__'
                                      - '-' escapes to '__dash__' - '/' escapes to
                                      '__slash__' - Property names that exactly match
                                      a CEL RESERVED keyword escape to '__{keyword}__'.
                                      The keywords are: \"true\", \"false\", \"null\",
                                      \"in\", \"as\", \"break\", \"const\", \"continue\",
                                      \"else\", \"for\", \"function\", \"if\", \"import\",
                                      \"let\", \"loop\", \"package\", \"namespace\",
                                      \"return\". Examples: - Expression accessing
                                      a property named \"namespace\": {\"Expression\":
                                      \"object.__namespace__ > 0\"} - Expression accessing
                                      a property named \"x-prop\": {\"Expression\":
                                      \"object.x__dash__prop > 0\"} - Expression accessing
                                      a property named \"redact__d\": {\"Expression\":
                                      \"object.redact__underscores__d > 0\"} \n Equality
                                      on arrays with list type of 'set' or 'map' ignores
                                      element order, i.e. [1, 2] == [2, 1]. Concatenation
                                      on arrays with x-kubernetes-list-type use the
                                      semantics of the list type: - 'set': `X + Y`
                                      performs a union where the array positions of
                                      all elements in `X` are preserved and non-intersecting
                                      elements in `Y` are appended, retaining their
                                      partial order. - 'map': `X + Y` performs a merge
                                      where the array positions of all keys in `X`
                                      are preserved but the values are overwritten
                                      by values in `Y` when the key sets of `X` and
                                      `Y` intersect. Elements in `Y` with non-intersecting
                                      keys are appended, retaining their partial order.
                                      Required."
                                    type: string
                                  message:
                                    description: 'Message represents the message displayed
                                      when validation fails. The message is required
                                      if the Expression contains line breaks. The
                                      message must not contain line breaks. If unset,
                                      the message is "failed rule: {Rule}". e.g. "must
                                      be a URL with the host matching spec.host" If
                                      the Expression contains line breaks. Message
                                      is required. The message must not contain line
                                      breaks. If unset, the message is "failed Expression:
                                      {Expression}".'
                                    type: string
                                  messageExpression:
                                    description: 'messageExpression declares a CEL
                                      expression that evaluates to the validation
                                      failure message that is returned when this rule
                                      fails. Since messageExpression is used as a
                                      failure message, it must evaluate to a string.
                                      If both message and messageExpression are present
                                      on a validation, then messageExpression will
                                      be used if validation fails. If messageExpression
                                      results in a runtime error, the runtime error
                                      is logged, and the validation failure message
                                      is produced as if the messageExpression field
                                      were unset. If messageExpression evaluates to
                                      an empty string, a string with only spaces,
                                      or a string that contains line breaks, then
                                      the validation failure message will also be
                                      produced as if the messageExpression field were
                                      unset, and the fact that messageExpression produced
                                      an empty string/string with only spaces/string
                                      with line breaks will be logged. messageExpression
                                      has access to all the same variables as the
                                      `expression` except for ''authorizer'' and ''authorizer.requestResource''.
                                      Example: "object.x must be less than max ("+string(params.max)+")"'
                                    type: string
                                  reason:
                                    description: 'Reason represents a machine-readable
                                      description of why this validation failed. If
                                      this is the first validation in the list to
                                      fail, this reason, as well as the corresponding
                                      HTTP response code, are used in the HTTP response
                                      to the client. The currently supported reasons
                                      are: "Unauthorized", "Forbidden", "Invalid",
                                      "RequestEntityTooLarge". If not set, StatusReasonInvalid
                                      is used in the response to the client.'
                                    type: string
                                required:
                                - expression
                                type: object
                              type: array
                            paramKind:
                              description: ParamKind is a tuple of Group Kind and
                                Version.
                              properties:
                                apiVersion:
                                  description: APIVersion is the API group version
                                    the resources belong to. In format of "group/version".
                                    Required.
                                  type: string
                                kind:
                                  description: Kind is the API kind the resources
                                    belong to. Required.
                                  type: string
                              type: object
                              x-kubernetes-map-type: atomic
                            paramRef:
                              description: ParamRef references a parameter resource.
                              properties:
                                name:
                                  description: Name of the resource being referenced.
                                  type: string
                                namespace:
                                  description: Namespace of the referenced resource.
                                    Should be empty for the cluster-scoped resources
                                  type: string
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        deny:
                          description: Deny defines conditions used to pass or fail
                            a validation rule.
                          properties:
                            conditions:
                              description: 'Multiple conditions can be declared under
                                an `any` or `all` statement. A direct list of conditions
                                (without `any` or `all` statements) is also supported
                                for backwards compatibility but will be deprecated
                                in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
                              x-kubernetes-preserve-unknown-fields: true
                          type: object
                        foreach:
                          description: ForEach applies validate rules to a list of
                            sub-elements by creating a context for each entry in the
                            list and looping over it to apply the specified logic.
                          items:
                            description: ForEachValidation applies validate rules
                              to a list of sub-elements by creating a context for
                              each entry in the list and looping over it to apply
                              the specified logic.
                            properties:
                              anyPattern:
                                description: AnyPattern specifies list of validation
                                  patterns. At least one of the patterns must be satisfied
                                  for the validation rule to succeed.
                                x-kubernetes-preserve-unknown-fields: true
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: ContextEntry adds variables and data
                                    sources to a rule Context. Either a ConfigMap
                                    reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: APICall is an HTTP request to the
                                        Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context
                                        with the name for the context entry.
                                      properties:
                                        data:
                                          description: Data specifies the POST data
                                            sent to the server.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the JSON response returned from the server.
                                            For example a JMESPath of "items | length(@)"
                                            applied to the API server response for
                                            the URLPath "/apis/apps/v1/deployments"
                                            will return the total count of deployments
                                            across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST).
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: Service is an API call to a
                                            JSON web service
                                          properties:
                                            caBundle:
                                              description: CABundle is a PEM encoded
                                                CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: URL is the JSON web service
                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: URLPath is the URL path to
                                            be used in the HTTP GET or POST request
                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
                                            or  "/apis/apps/v1/deployments"). The
                                            format required is the same format used
                                            by the `kubectl get --raw` command. See
                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    imageRegistry:
                                      description: ImageRegistry defines requests
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry
                                              type: boolean
                                            providers:
                                              description: 'Providers specifies a
                                                list of OCI Registry names, whose
                                                authentication providers are provided
                                                It can be of one of these values:
                                                AWS, ACR, GCP, GHCR'
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: Secrets specifies a list
                                                of secrets that are provided for credentials
                                                Secrets must live in the Kyverno namespace
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the ImageData struct returned as a result
                                            of processing the image reference.
                                          type: string
                                        reference:
                                          description: 'Reference is image reference
                                            to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest'
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: Default is an optional arbitrary
                                            JSON object that the variable may take
                                            if the JMESPath expression evaluates to
                                            nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: JMESPath is an optional JMESPath
                                            Expression that can be used to transform
                                            the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              deny:
                                description: Deny defines conditions used to pass
                                  or fail a validation rule.
                                properties:
                                  conditions:
                                    description: 'Multiple conditions can be declared
                                      under an `any` or `all` statement. A direct
                                      list of conditions (without `any` or `all` statements)
                                      is also supported for backwards compatibility
                                      but will be deprecated in the next major release.
                                      See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              elementScope:
                                description: ElementScope specifies whether to use
                                  the current list element as the scope for validation.
                                  Defaults to "true" if not specified. When set to
                                  "false", "request.object" is used as the validation
                                  scope within the foreach block to allow referencing
                                  other elements in the subtree.
                                type: boolean
                              foreach:
                                description: Foreach declares a nested foreach iterator
                                x-kubernetes-preserve-unknown-fields: true
                              list:
                                description: List specifies a JMESPath expression
                                  that results in one or more elements to which the
                                  validation logic is applied.
                                type: string
                              pattern:
                                description: Pattern specifies an overlay-style pattern
                                  used to check resources.
                                x-kubernetes-preserve-unknown-fields: true
                              preconditions:
                                description: 'AnyAllConditions are used to determine
                                  if a policy rule should be applied by evaluating
                                  a set of conditions. The declaration can contain
                                  nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
                                properties:
                                  all:
                                    description: AllConditions enable variable-based
                                      conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A
                                      condition can reference object data using JMESPath
                                      notation. Here, all of the conditions need to
                                      pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: 'Operator is the conditional
                                            operation to perform. Valid operators
                                            are: Equals, NotEquals, In, AnyIn, AllIn,
                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan,
                                            DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan'
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: Value is the conditional value,
                                            or set of values. The values can be fixed
                                            set or can be variables declared using
                                            JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                  any:
                                    description: AnyConditions enable variable-based
                                      conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A
                                      condition can reference object data using JMESPath
                                      notation. Here, at least one of the conditions
                                      need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: 'Operator is the conditional
                                            operation to perform. Valid operators
                                            are: Equals, NotEquals, In, AnyIn, AllIn,
                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan,
                                            DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan'
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: Value is the conditional value,
                                            or set of values. The values can be fixed
                                            set or can be variables declared using
                                            JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                type: object
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                        manifests:
                          description: Manifest specifies conditions for manifest
                            verification
                          properties:
                            annotationDomain:
                              description: AnnotationDomain is custom domain of annotation
                                for message and signature. Default is "cosign.sigstore.dev".
                              type: string
                            attestors:
                              description: Attestors specified the required attestors
                                (i.e. authorities)
                              items:
                                properties:
                                  count:
                                    description: Count specifies the required number
                                      of entries that must match. If the count is
                                      null, all entries must match (a logical AND).
                                      If the count is 1, at least one entry must match
                                      (a logical OR). If the count contains a value
                                      N, then N must be less than or equal to the
                                      size of entries, and at least N entries must
                                      match.
                                    minimum: 1
                                    type: integer
                                  entries:
                                    description: Entries contains the available attestors.
                                      An attestor can be a static key, attributes
                                      for keyless verification, or a nested attestor
                                      declaration.
                                    items:
                                      properties:
                                        annotations:
                                          additionalProperties:
                                            type: string
                                          description: Annotations are used for image
                                            verification. Every specified key-value
                                            pair must exist and match in the verified
                                            payload. The payload may contain other
                                            key-value pairs.
                                          type: object
                                        attestor:
                                          description: Attestor is a nested AttestorSet
                                            used to specify a more complex set of
                                            match authorities
                                          x-kubernetes-preserve-unknown-fields: true
                                        certificates:
                                          description: Certificates specifies one
                                            or more certificates
                                          properties:
                                            cert:
                                              description: Certificate is an optional
                                                PEM encoded public certificate.
                                              type: string
                                            certChain:
                                              description: CertificateChain is an
                                                optional PEM encoded set of certificates
                                                used to verify
                                              type: string
                                            rekor:
                                              description: Rekor provides configuration
                                                for the Rekor transparency log service.
                                                If the value is nil, Rekor is not
                                                checked. If an empty object is provided
                                                the public instance of Rekor (https://rekor.sigstore.dev)
                                                is used.
                                              properties:
                                                ignoreSCT:
                                                  description: IgnoreSCT requires
                                                    that a certificate contain an
                                                    embedded SCT during verification.
                                                    An SCT is proof of inclusion in
                                                    a certificate transparency log.
                                                  type: boolean
                                                ignoreTlog:
                                                  description: IgnoreTlog skip tlog
                                                    verification
                                                  type: boolean
                                                pubkey:
                                                  description: RekorPubKey is an optional
                                                    PEM encoded public key to use
                                                    for a custom Rekor. If set, is
                                                    used to validate signatures on
                                                    log entries from Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public log https://rekor.sigstore.dev.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                          type: object
                                        keyless:
                                          description: Keyless is a set of attribute
                                            used to verify a Sigstore keyless attestor.
                                            See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                          properties:
                                            additionalExtensions:
                                              additionalProperties:
                                                type: string
                                              description: AdditionalExtensions are
                                                certificate-extensions used for keyless
                                                signing.
                                              type: object
                                            issuer:
                                              description: Issuer is the certificate
                                                issuer used for keyless signing.
                                              type: string
                                            rekor:
                                              description: Rekor provides configuration
                                                for the Rekor transparency log service.
                                                If the value is nil, Rekor is not
                                                checked and a root certificate chain
                                                is expected instead. If an empty object
                                                is provided the public instance of
                                                Rekor (https://rekor.sigstore.dev)
                                                is used.
                                              properties:
                                                ignoreSCT:
                                                  description: IgnoreSCT requires
                                                    that a certificate contain an
                                                    embedded SCT during verification.
                                                    An SCT is proof of inclusion in
                                                    a certificate transparency log.
                                                  type: boolean
                                                ignoreTlog:
                                                  description: IgnoreTlog skip tlog
                                                    verification
                                                  type: boolean
                                                pubkey:
                                                  description: RekorPubKey is an optional
                                                    PEM encoded public key to use
                                                    for a custom Rekor. If set, is
                                                    used to validate signatures on
                                                    log entries from Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public log https://rekor.sigstore.dev.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            roots:
                                              description: Roots is an optional set
                                                of PEM encoded trusted root certificates.
                                                If not provided, the system roots
                                                are used.
                                              type: string
                                            subject:
                                              description: Subject is the verified
                                                identity used for keyless signing,
                                                for example the email address
                                              type: string
                                          type: object
                                        keys:
                                          description: Keys specifies one or more
                                            public keys
                                          properties:
                                            kms:
                                              description: 'KMS provides the URI to
                                                the public key stored in a Key Management
                                                System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                              type: string
                                            publicKeys:
                                              description: Keys is a set of X.509
                                                public keys used to verify image signatures.
                                                The keys can be directly specified
                                                or can be a variable reference to
                                                a key specified in a ConfigMap (see
                                                https://kyverno.io/docs/writing-policies/variables/),
                                                or reference a standard Kubernetes
                                                Secret elsewhere in the cluster by
                                                specifying it in the format "k8s://<namespace>/<secret_name>".
                                                The named Secret must specify a key
                                                `cosign.pub` containing the public
                                                key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                When multiple keys are specified each
                                                key is processed as a separate staticKey
                                                entry (.attestors[*].entries.keys)
                                                within the set of attestors and the
                                                count is applied across the keys.
                                              type: string
                                            rekor:
                                              description: Rekor provides configuration
                                                for the Rekor transparency log service.
                                                If the value is nil, or an empty object
                                                is provided, the public instance of
                                                Rekor (https://rekor.sigstore.dev)
                                                is used.
                                              properties:
                                                ignoreSCT:
                                                  description: IgnoreSCT requires
                                                    that a certificate contain an
                                                    embedded SCT during verification.
                                                    An SCT is proof of inclusion in
                                                    a certificate transparency log.
                                                  type: boolean
                                                ignoreTlog:
                                                  description: IgnoreTlog skip tlog
                                                    verification
                                                  type: boolean
                                                pubkey:
                                                  description: RekorPubKey is an optional
                                                    PEM encoded public key to use
                                                    for a custom Rekor. If set, is
                                                    used to validate signatures on
                                                    log entries from Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public log https://rekor.sigstore.dev.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            secret:
                                              description: Reference to a Secret resource
                                                that contains a public key
                                              properties:
                                                name:
                                                  description: Name of the secret.
                                                    The provided secret must contain
                                                    a key named cosign.pub.
                                                  type: string
                                                namespace:
                                                  description: Namespace name where
                                                    the Secret exists.
                                                  type: string
                                              required:
                                              - name
                                              - namespace
                                              type: object
                                            signatureAlgorithm:
                                              default: sha256
                                              description: Specify signature algorithm
                                                for public keys. Supported values
                                                are sha256 and sha512
                                              type: string
                                          type: object
                                        repository:
                                          description: Repository is an optional alternate
                                            OCI repository to use for signatures and
                                            attestations that match this rule. If
                                            specified Repository will override other
                                            OCI image repository locations for this
                                            Attestor.
                                          type: string
                                      type: object
                                    type: array
                                type: object
                              type: array
                            dryRun:
                              description: DryRun configuration
                              properties:
                                enable:
                                  type: boolean
                                namespace:
                                  type: string
                              type: object
                            ignoreFields:
                              description: Fields which will be ignored while comparing
                                manifests.
                              items:
                                properties:
                                  fields:
                                    items:
                                      type: string
                                    type: array
                                  objects:
                                    items:
                                      properties:
                                        group:
                                          type: string
                                        kind:
                                          type: string
                                        name:
                                          type: string
                                        namespace:
                                          type: string
                                        version:
                                          type: string
                                      type: object
                                    type: array
                                type: object
                              type: array
                            repository:
                              description: Repository is an optional alternate OCI
                                repository to use for resource bundle reference. The
                                repository can be overridden per Attestor or Attestation.
                              type: string
                          type: object
                        message:
                          description: Message specifies a custom message to be displayed
                            on failure.
                          type: string
                        pattern:
                          description: Pattern specifies an overlay-style pattern
                            used to check resources.
                          x-kubernetes-preserve-unknown-fields: true
                        podSecurity:
                          description: PodSecurity applies exemptions for Kubernetes
                            Pod Security admission by specifying exclusions for Pod
                            Security Standards controls.
                          properties:
                            exclude:
                              description: Exclude specifies the Pod Security Standard
                                controls to be excluded.
                              items:
                                description: PodSecurityStandard specifies the Pod
                                  Security Standard controls to be excluded.
                                properties:
                                  controlName:
                                    description: 'ControlName specifies the name of
                                      the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
                                    enum:
                                    - HostProcess
                                    - Host Namespaces
                                    - Privileged Containers
                                    - Capabilities
                                    - HostPath Volumes
                                    - Host Ports
                                    - AppArmor
                                    - SELinux
                                    - /proc Mount Type
                                    - Seccomp
                                    - Sysctls
                                    - Volume Types
                                    - Privilege Escalation
                                    - Running as Non-root
                                    - Running as Non-root user
                                    type: string
                                  images:
                                    description: 'Images selects matching containers
                                      and applies the container level PSS. Each image
                                      is the image name consisting of the registry
                                      address, repository, image, and tag. Empty list
                                      matches no containers, PSS checks are applied
                                      at the pod level only. Wildcards (''*'' and
                                      ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
                                    items:
                                      type: string
                                    type: array
                                required:
                                - controlName
                                type: object
                              type: array
                            level:
                              description: Level defines the Pod Security Standard
                                level to be applied to workloads. Allowed values are
                                privileged, baseline, and restricted.
                              enum:
                              - privileged
                              - baseline
                              - restricted
                              type: string
                            version:
                              description: Version defines the Pod Security Standard
                                versions that Kubernetes supports. Allowed values
                                are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
                                v1.26, latest. Defaults to latest.
                              enum:
                              - v1.19
                              - v1.20
                              - v1.21
                              - v1.22
                              - v1.23
                              - v1.24
                              - v1.25
                              - v1.26
                              - latest
                              type: string
                          type: object
                      type: object
                    verifyImages:
                      description: VerifyImages is used to verify image signatures
                        and mutate them to add a digest
                      items:
                        description: ImageVerification validates that images that
                          match the specified pattern are signed with the supplied
                          public key. Once the image is verified it is mutated to
                          include the SHA digest retrieved during the registration.
                        properties:
                          additionalExtensions:
                            additionalProperties:
                              type: string
                            description: AdditionalExtensions are certificate-extensions
                              used for keyless signing. Deprecated.
                            type: object
                          annotations:
                            additionalProperties:
                              type: string
                            description: Annotations are used for image verification.
                              Every specified key-value pair must exist and match
                              in the verified payload. The payload may contain other
                              key-value pairs. Deprecated. Use annotations per Attestor
                              instead.
                            type: object
                          attestations:
                            description: Attestations are optional checks for signed
                              in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
                              Kyverno fetches signed attestations from the OCI registry
                              and decodes them into a list of Statement declarations.
                            items:
                              description: Attestation are checks for signed in-toto
                                Statements that are used to verify the image. See
                                https://github.com/in-toto/attestation. Kyverno fetches
                                signed attestations from the OCI registry and decodes
                                them into a list of Statements.
                              properties:
                                attestors:
                                  description: Attestors specify the required attestors
                                    (i.e. authorities)
                                  items:
                                    properties:
                                      count:
                                        description: Count specifies the required
                                          number of entries that must match. If the
                                          count is null, all entries must match (a
                                          logical AND). If the count is 1, at least
                                          one entry must match (a logical OR). If
                                          the count contains a value N, then N must
                                          be less than or equal to the size of entries,
                                          and at least N entries must match.
                                        minimum: 1
                                        type: integer
                                      entries:
                                        description: Entries contains the available
                                          attestors. An attestor can be a static key,
                                          attributes for keyless verification, or
                                          a nested attestor declaration.
                                        items:
                                          properties:
                                            annotations:
                                              additionalProperties:
                                                type: string
                                              description: Annotations are used for
                                                image verification. Every specified
                                                key-value pair must exist and match
                                                in the verified payload. The payload
                                                may contain other key-value pairs.
                                              type: object
                                            attestor:
                                              description: Attestor is a nested AttestorSet
                                                used to specify a more complex set
                                                of match authorities
                                              x-kubernetes-preserve-unknown-fields: true
                                            certificates:
                                              description: Certificates specifies
                                                one or more certificates
                                              properties:
                                                cert:
                                                  description: Certificate is an optional
                                                    PEM encoded public certificate.
                                                  type: string
                                                certChain:
                                                  description: CertificateChain is
                                                    an optional PEM encoded set of
                                                    certificates used to verify
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    Rekor is not checked. If an empty
                                                    object is provided the public
                                                    instance of Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                              type: object
                                            keyless:
                                              description: Keyless is a set of attribute
                                                used to verify a Sigstore keyless
                                                attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                              properties:
                                                additionalExtensions:
                                                  additionalProperties:
                                                    type: string
                                                  description: AdditionalExtensions
                                                    are certificate-extensions used
                                                    for keyless signing.
                                                  type: object
                                                issuer:
                                                  description: Issuer is the certificate
                                                    issuer used for keyless signing.
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    Rekor is not checked and a root
                                                    certificate chain is expected
                                                    instead. If an empty object is
                                                    provided the public instance of
                                                    Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                                roots:
                                                  description: Roots is an optional
                                                    set of PEM encoded trusted root
                                                    certificates. If not provided,
                                                    the system roots are used.
                                                  type: string
                                                subject:
                                                  description: Subject is the verified
                                                    identity used for keyless signing,
                                                    for example the email address
                                                  type: string
                                              type: object
                                            keys:
                                              description: Keys specifies one or more
                                                public keys
                                              properties:
                                                kms:
                                                  description: 'KMS provides the URI
                                                    to the public key stored in a
                                                    Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                                  type: string
                                                publicKeys:
                                                  description: Keys is a set of X.509
                                                    public keys used to verify image
                                                    signatures. The keys can be directly
                                                    specified or can be a variable
                                                    reference to a key specified in
                                                    a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
                                                    or reference a standard Kubernetes
                                                    Secret elsewhere in the cluster
                                                    by specifying it in the format
                                                    "k8s://<namespace>/<secret_name>".
                                                    The named Secret must specify
                                                    a key `cosign.pub` containing
                                                    the public key used for verification,
                                                    (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                    When multiple keys are specified
                                                    each key is processed as a separate
                                                    staticKey entry (.attestors[*].entries.keys)
                                                    within the set of attestors and
                                                    the count is applied across the
                                                    keys.
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    or an empty object is provided,
                                                    the public instance of Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                                secret:
                                                  description: Reference to a Secret
                                                    resource that contains a public
                                                    key
                                                  properties:
                                                    name:
                                                      description: Name of the secret.
                                                        The provided secret must contain
                                                        a key named cosign.pub.
                                                      type: string
                                                    namespace:
                                                      description: Namespace name
                                                        where the Secret exists.
                                                      type: string
                                                  required:
                                                  - name
                                                  - namespace
                                                  type: object
                                                signatureAlgorithm:
                                                  default: sha256
                                                  description: Specify signature algorithm
                                                    for public keys. Supported values
                                                    are sha256 and sha512
                                                  type: string
                                              type: object
                                            repository:
                                              description: Repository is an optional
                                                alternate OCI repository to use for
                                                signatures and attestations that match
                                                this rule. If specified Repository
                                                will override other OCI image repository
                                                locations for this Attestor.
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                conditions:
                                  description: Conditions are used to verify attributes
                                    within a Predicate. If no Conditions are specified
                                    the attestation check is satisfied as long there
                                    are predicates that match the predicate type.
                                  items:
                                    description: AnyAllConditions consists of conditions
                                      wrapped denoting a logical criteria to be fulfilled.
                                      AnyConditions get fulfilled when at least one
                                      of its sub-conditions passes. AllConditions
                                      get fulfilled only when all of its sub-conditions
                                      pass.
                                    properties:
                                      all:
                                        description: AllConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, all of the conditions
                                          need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: AnyConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, at least one of
                                          the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                predicateType:
                                  description: PredicateType defines the type of Predicate
                                    contained within the Statement. Deprecated in
                                    favour of 'Type', to be removed soon
                                  type: string
                                type:
                                  description: Type defines the type of attestation
                                    contained within the Statement.
                                  type: string
                              type: object
                            type: array
                          attestors:
                            description: Attestors specified the required attestors
                              (i.e. authorities)
                            items:
                              properties:
                                count:
                                  description: Count specifies the required number
                                    of entries that must match. If the count is null,
                                    all entries must match (a logical AND). If the
                                    count is 1, at least one entry must match (a logical
                                    OR). If the count contains a value N, then N must
                                    be less than or equal to the size of entries,
                                    and at least N entries must match.
                                  minimum: 1
                                  type: integer
                                entries:
                                  description: Entries contains the available attestors.
                                    An attestor can be a static key, attributes for
                                    keyless verification, or a nested attestor declaration.
                                  items:
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: Annotations are used for image
                                          verification. Every specified key-value
                                          pair must exist and match in the verified
                                          payload. The payload may contain other key-value
                                          pairs.
                                        type: object
                                      attestor:
                                        description: Attestor is a nested AttestorSet
                                          used to specify a more complex set of match
                                          authorities
                                        x-kubernetes-preserve-unknown-fields: true
                                      certificates:
                                        description: Certificates specifies one or
                                          more certificates
                                        properties:
                                          cert:
                                            description: Certificate is an optional
                                              PEM encoded public certificate.
                                            type: string
                                          certChain:
                                            description: CertificateChain is an optional
                                              PEM encoded set of certificates used
                                              to verify
                                            type: string
                                          rekor:
                                            description: Rekor provides configuration
                                              for the Rekor transparency log service.
                                              If the value is nil, Rekor is not checked.
                                              If an empty object is provided the public
                                              instance of Rekor (https://rekor.sigstore.dev)
                                              is used.
                                            properties:
                                              ignoreSCT:
                                                description: IgnoreSCT requires that
                                                  a certificate contain an embedded
                                                  SCT during verification. An SCT
                                                  is proof of inclusion in a certificate
                                                  transparency log.
                                                type: boolean
                                              ignoreTlog:
                                                description: IgnoreTlog skip tlog
                                                  verification
                                                type: boolean
                                              pubkey:
                                                description: RekorPubKey is an optional
                                                  PEM encoded public key to use for
                                                  a custom Rekor. If set, is used
                                                  to validate signatures on log entries
                                                  from Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public log https://rekor.sigstore.dev.
                                                type: string
                                            required:
                                            - url
                                            type: object
                                        type: object
                                      keyless:
                                        description: Keyless is a set of attribute
                                          used to verify a Sigstore keyless attestor.
                                          See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                        properties:
                                          additionalExtensions:
                                            additionalProperties:
                                              type: string
                                            description: AdditionalExtensions are
                                              certificate-extensions used for keyless
                                              signing.
                                            type: object
                                          issuer:
                                            description: Issuer is the certificate
                                              issuer used for keyless signing.
                                            type: string
                                          rekor:
                                            description: Rekor provides configuration
                                              for the Rekor transparency log service.
                                              If the value is nil, Rekor is not checked
                                              and a root certificate chain is expected
                                              instead. If an empty object is provided
                                              the public instance of Rekor (https://rekor.sigstore.dev)
                                              is used.
                                            properties:
                                              ignoreSCT:
                                                description: IgnoreSCT requires that
                                                  a certificate contain an embedded
                                                  SCT during verification. An SCT
                                                  is proof of inclusion in a certificate
                                                  transparency log.
                                                type: boolean
                                              ignoreTlog:
                                                description: IgnoreTlog skip tlog
                                                  verification
                                                type: boolean
                                              pubkey:
                                                description: RekorPubKey is an optional
                                                  PEM encoded public key to use for
                                                  a custom Rekor. If set, is used
                                                  to validate signatures on log entries
                                                  from Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public log https://rekor.sigstore.dev.
                                                type: string
                                            required:
                                            - url
                                            type: object
                                          roots:
                                            description: Roots is an optional set
                                              of PEM encoded trusted root certificates.
                                              If not provided, the system roots are
                                              used.
                                            type: string
                                          subject:
                                            description: Subject is the verified identity
                                              used for keyless signing, for example
                                              the email address
                                            type: string
                                        type: object
                                      keys:
                                        description: Keys specifies one or more public
                                          keys
                                        properties:
                                          kms:
                                            description: 'KMS provides the URI to
                                              the public key stored in a Key Management
                                              System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                            type: string
                                          publicKeys:
                                            description: Keys is a set of X.509 public
                                              keys used to verify image signatures.
                                              The keys can be directly specified or
                                              can be a variable reference to a key
                                              specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
                                              or reference a standard Kubernetes Secret
                                              elsewhere in the cluster by specifying
                                              it in the format "k8s://<namespace>/<secret_name>".
                                              The named Secret must specify a key
                                              `cosign.pub` containing the public key
                                              used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                              When multiple keys are specified each
                                              key is processed as a separate staticKey
                                              entry (.attestors[*].entries.keys) within
                                              the set of attestors and the count is
                                              applied across the keys.
                                            type: string
                                          rekor:
                                            description: Rekor provides configuration
                                              for the Rekor transparency log service.
                                              If the value is nil, or an empty object
                                              is provided, the public instance of
                                              Rekor (https://rekor.sigstore.dev) is
                                              used.
                                            properties:
                                              ignoreSCT:
                                                description: IgnoreSCT requires that
                                                  a certificate contain an embedded
                                                  SCT during verification. An SCT
                                                  is proof of inclusion in a certificate
                                                  transparency log.
                                                type: boolean
                                              ignoreTlog:
                                                description: IgnoreTlog skip tlog
                                                  verification
                                                type: boolean
                                              pubkey:
                                                description: RekorPubKey is an optional
                                                  PEM encoded public key to use for
                                                  a custom Rekor. If set, is used
                                                  to validate signatures on log entries
                                                  from Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public log https://rekor.sigstore.dev.
                                                type: string
                                            required:
                                            - url
                                            type: object
                                          secret:
                                            description: Reference to a Secret resource
                                              that contains a public key
                                            properties:
                                              name:
                                                description: Name of the secret. The
                                                  provided secret must contain a key
                                                  named cosign.pub.
                                                type: string
                                              namespace:
                                                description: Namespace name where
                                                  the Secret exists.
                                                type: string
                                            required:
                                            - name
                                            - namespace
                                            type: object
                                          signatureAlgorithm:
                                            default: sha256
                                            description: Specify signature algorithm
                                              for public keys. Supported values are
                                              sha256 and sha512
                                            type: string
                                        type: object
                                      repository:
                                        description: Repository is an optional alternate
                                          OCI repository to use for signatures and
                                          attestations that match this rule. If specified
                                          Repository will override other OCI image
                                          repository locations for this Attestor.
                                        type: string
                                    type: object
                                  type: array
                              type: object
                            type: array
                          image:
                            description: 'Image is the image name consisting of the
                              registry address, repository, image, and tag. Wildcards
                              (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                              Deprecated. Use ImageReferences instead.'
                            type: string
                          imageReferences:
                            description: 'ImageReferences is a list of matching image
                              reference patterns. At least one pattern in the list
                              must match the image for the rule to apply. Each image
                              reference consists of a registry address (defaults to
                              docker.io), repository, image, and tag (defaults to
                              latest). Wildcards (''*'' and ''?'') are allowed. See:
                              https://kubernetes.io/docs/concepts/containers/images.'
                            items:
                              type: string
                            type: array
                          imageRegistryCredentials:
                            description: ImageRegistryCredentials provides credentials
                              that will be used for authentication with registry
                            properties:
                              allowInsecureRegistry:
                                description: AllowInsecureRegistry allows insecure
                                  access to a registry
                                type: boolean
                              providers:
                                description: 'Providers specifies a list of OCI Registry
                                  names, whose authentication providers are provided
                                  It can be of one of these values: AWS, ACR, GCP,
                                  GHCR'
                                items:
                                  description: ImageRegistryCredentialsProvidersType
                                    provides the list of credential providers required.
                                  enum:
                                  - default
                                  - amazon
                                  - azure
                                  - google
                                  - github
                                  type: string
                                type: array
                              secrets:
                                description: Secrets specifies a list of secrets that
                                  are provided for credentials Secrets must live in
                                  the Kyverno namespace
                                items:
                                  type: string
                                type: array
                            type: object
                          issuer:
                            description: Issuer is the certificate issuer used for
                              keyless signing. Deprecated. Use KeylessAttestor instead.
                            type: string
                          key:
                            description: Key is the PEM encoded public key that the
                              image or attestation is signed with. Deprecated. Use
                              StaticKeyAttestor instead.
                            type: string
                          mutateDigest:
                            default: true
                            description: MutateDigest enables replacement of image
                              tags with digests. Defaults to true.
                            type: boolean
                          repository:
                            description: Repository is an optional alternate OCI repository
                              to use for image signatures and attestations that match
                              this rule. If specified Repository will override the
                              default OCI image repository configured for the installation.
                              The repository can also be overridden per Attestor or
                              Attestation.
                            type: string
                          required:
                            default: true
                            description: Required validates that images are verified
                              i.e. have matched passed a signature or attestation
                              check.
                            type: boolean
                          roots:
                            description: Roots is the PEM encoded Root certificate
                              chain used for keyless signing Deprecated. Use KeylessAttestor
                              instead.
                            type: string
                          subject:
                            description: Subject is the identity used for keyless
                              signing, for example an email address Deprecated. Use
                              KeylessAttestor instead.
                            type: string
                          type:
                            description: Type specifies the method of signature validation.
                              The allowed options are Cosign and Notary. By default
                              Cosign is used if a type is not specified.
                            enum:
                            - Cosign
                            - Notary
                            type: string
                          useCache:
                            default: true
                            description: UseCache enables caching of image verify
                              responses for this rule
                            type: boolean
                          verifyDigest:
                            default: true
                            description: VerifyDigest validates that images have a
                              digest.
                            type: boolean
                        type: object
                      type: array
                  required:
                  - name
                  type: object
                type: array
              schemaValidation:
                description: SchemaValidation skips validation checks for policies
                  as well as patched resources. Optional. The default value is set
                  to "true", it must be set to "false" to disable the validation checks.
                type: boolean
              useServerSideApply:
                description: UseServerSideApply controls whether to use server-side
                  apply for generate rules If is set to "true" create & update for
                  generate rules will use apply instead of create/update. Defaults
                  to "false" if not specified.
                type: boolean
              validationFailureAction:
                default: Audit
                description: ValidationFailureAction defines if a validation policy
                  rule violation should block the admission review request (enforce),
                  or allow (audit) the admission review request and report an error
                  in a policy report. Optional. Allowed values are audit or enforce.
                  The default value is "Audit".
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: ValidationFailureActionOverrides is a Cluster Policy
                  attribute that specifies ValidationFailureAction namespace-wise.
                  It overrides ValidationFailureAction for the specified namespaces.
                items:
                  properties:
                    action:
                      description: ValidationFailureAction defines the policy validation
                        failure action
                      enum:
                      - audit
                      - enforce
                      - Audit
                      - Enforce
                      type: string
                    namespaceSelector:
                      description: A label selector is a label query over a set of
                        resources. The result of matchLabels and matchExpressions
                        are ANDed. An empty label selector matches all objects. A
                        null label selector matches no objects.
                      properties:
                        matchExpressions:
                          description: matchExpressions is a list of label selector
                            requirements. The requirements are ANDed.
                          items:
                            description: A label selector requirement is a selector
                              that contains values, a key, and an operator that relates
                              the key and values.
                            properties:
                              key:
                                description: key is the label key that the selector
                                  applies to.
                                type: string
                              operator:
                                description: operator represents a key's relationship
                                  to a set of values. Valid operators are In, NotIn,
                                  Exists and DoesNotExist.
                                type: string
                              values:
                                description: values is an array of string values.
                                  If the operator is In or NotIn, the values array
                                  must be non-empty. If the operator is Exists or
                                  DoesNotExist, the values array must be empty. This
                                  array is replaced during a strategic merge patch.
                                items:
                                  type: string
                                type: array
                            required:
                            - key
                            - operator
                            type: object
                          type: array
                        matchLabels:
                          additionalProperties:
                            type: string
                          description: matchLabels is a map of {key,value} pairs.
                            A single {key,value} in the matchLabels map is equivalent
                            to an element of matchExpressions, whose key field is
                            "key", the operator is "In", and the values array contains
                            only "value". The requirements are ANDed.
                          type: object
                      type: object
                      x-kubernetes-map-type: atomic
                    namespaces:
                      items:
                        type: string
                      type: array
                  type: object
                type: array
              webhookTimeoutSeconds:
                description: WebhookTimeoutSeconds specifies the maximum time in seconds
                  allowed to apply this policy. After the configured time expires,
                  the admission request may fail, or may simply ignore the policy
                  results, based on the failure policy. The default timeout is 10s,
                  the value must be between 1 and 30 seconds.
                format: int32
                type: integer
            type: object
          status:
            description: Status contains policy runtime data.
            properties:
              autogen:
                description: Autogen contains autogen status information
                properties:
                  rules:
                    description: Rules is a list of Rule instances. It contains auto
                      generated rules added for pod controllers
                    items:
                      description: Rule defines a validation, mutation, or generation
                        control for matching resources. Each rules contains a match
                        declaration to select resources, and an optional exclude declaration
                        to specify which resources to exclude.
                      properties:
                        celPreconditions:
                          description: CELPreconditions are used to determine if a
                            policy rule should be applied by evaluating a set of CEL
                            conditions. It can only be used with the validate.cel
                            subrule
                          items:
                            description: MatchCondition represents a condition which
                              must by fulfilled for a request to be sent to a webhook.
                            properties:
                              expression:
                                description: "Expression represents the expression
                                  which will be evaluated by CEL. Must evaluate to
                                  bool. CEL expressions have access to the contents
                                  of the AdmissionRequest and Authorizer, organized
                                  into CEL variables: \n 'object' - The object from
                                  the incoming request. The value is null for DELETE
                                  requests. 'oldObject' - The existing object. The
                                  value is null for CREATE requests. 'request' - Attributes
                                  of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
                                  'authorizer' - A CEL Authorizer. May be used to
                                  perform authorization checks for the principal (user
                                  or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                                  'authorizer.requestResource' - A CEL ResourceCheck
                                  constructed from the 'authorizer' and configured
                                  with the request resource. Documentation on CEL:
                                  https://kubernetes.io/docs/reference/using-api/cel/
                                  \n Required."
                                type: string
                              name:
                                description: "Name is an identifier for this match
                                  condition, used for strategic merging of MatchConditions,
                                  as well as providing an identifier for logging purposes.
                                  A good name should be descriptive of the associated
                                  expression. Name must be a qualified name consisting
                                  of alphanumeric characters, '-', '_' or '.', and
                                  must start and end with an alphanumeric character
                                  (e.g. 'MyName',  or 'my.name',  or '123-abc', regex
                                  used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
                                  with an optional DNS subdomain prefix and '/' (e.g.
                                  'example.com/MyName') \n Required."
                                type: string
                            required:
                            - expression
                            - name
                            type: object
                          type: array
                        context:
                          description: Context defines variables and data sources
                            that can be used during rule execution.
                          items:
                            description: ContextEntry adds variables and data sources
                              to a rule Context. Either a ConfigMap reference or a
                              APILookup must be provided.
                            properties:
                              apiCall:
                                description: APICall is an HTTP request to the Kubernetes
                                  API server, or other JSON web service. The data
                                  returned is stored in the context with the name
                                  for the context entry.
                                properties:
                                  data:
                                    description: Data specifies the POST data sent
                                      to the server.
                                    items:
                                      description: RequestData contains the HTTP POST
                                        data
                                      properties:
                                        key:
                                          description: Key is a unique identifier
                                            for the data value
                                          type: string
                                        value:
                                          description: Value is the data value
                                          x-kubernetes-preserve-unknown-fields: true
                                      required:
                                      - key
                                      - value
                                      type: object
                                    type: array
                                  jmesPath:
                                    description: JMESPath is an optional JSON Match
                                      Expression that can be used to transform the
                                      JSON response returned from the server. For
                                      example a JMESPath of "items | length(@)" applied
                                      to the API server response for the URLPath "/apis/apps/v1/deployments"
                                      will return the total count of deployments across
                                      all namespaces.
                                    type: string
                                  method:
                                    default: GET
                                    description: Method is the HTTP request type (GET
                                      or POST).
                                    enum:
                                    - GET
                                    - POST
                                    type: string
                                  service:
                                    description: Service is an API call to a JSON
                                      web service
                                    properties:
                                      caBundle:
                                        description: CABundle is a PEM encoded CA
                                          bundle which will be used to validate the
                                          server certificate.
                                        type: string
                                      url:
                                        description: URL is the JSON web service URL.
                                          A typical form is `https://{service}.{namespace}:{port}/{path}`.
                                        type: string
                                    required:
                                    - url
                                    type: object
                                  urlPath:
                                    description: URLPath is the URL path to be used
                                      in the HTTP GET or POST request to the Kubernetes
                                      API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                      The format required is the same format used
                                      by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                      for details.
                                    type: string
                                type: object
                              configMap:
                                description: ConfigMap is the ConfigMap reference.
                                properties:
                                  name:
                                    description: Name is the ConfigMap name.
                                    type: string
                                  namespace:
                                    description: Namespace is the ConfigMap namespace.
                                    type: string
                                required:
                                - name
                                type: object
                              imageRegistry:
                                description: ImageRegistry defines requests to an
                                  OCI/Docker V2 registry to fetch image details.
                                properties:
                                  imageRegistryCredentials:
                                    description: ImageRegistryCredentials provides
                                      credentials that will be used for authentication
                                      with registry
                                    properties:
                                      allowInsecureRegistry:
                                        description: AllowInsecureRegistry allows
                                          insecure access to a registry
                                        type: boolean
                                      providers:
                                        description: 'Providers specifies a list of
                                          OCI Registry names, whose authentication
                                          providers are provided It can be of one
                                          of these values: AWS, ACR, GCP, GHCR'
                                        items:
                                          description: ImageRegistryCredentialsProvidersType
                                            provides the list of credential providers
                                            required.
                                          enum:
                                          - default
                                          - amazon
                                          - azure
                                          - google
                                          - github
                                          type: string
                                        type: array
                                      secrets:
                                        description: Secrets specifies a list of secrets
                                          that are provided for credentials Secrets
                                          must live in the Kyverno namespace
                                        items:
                                          type: string
                                        type: array
                                    type: object
                                  jmesPath:
                                    description: JMESPath is an optional JSON Match
                                      Expression that can be used to transform the
                                      ImageData struct returned as a result of processing
                                      the image reference.
                                    type: string
                                  reference:
                                    description: 'Reference is image reference to
                                      a container image in the registry. Example:
                                      ghcr.io/kyverno/kyverno:latest'
                                    type: string
                                required:
                                - reference
                                type: object
                              name:
                                description: Name is the variable name.
                                type: string
                              variable:
                                description: Variable defines an arbitrary JMESPath
                                  context variable that can be defined inline.
                                properties:
                                  default:
                                    description: Default is an optional arbitrary
                                      JSON object that the variable may take if the
                                      JMESPath expression evaluates to nil
                                    x-kubernetes-preserve-unknown-fields: true
                                  jmesPath:
                                    description: JMESPath is an optional JMESPath
                                      Expression that can be used to transform the
                                      variable.
                                    type: string
                                  value:
                                    description: Value is any arbitrary JSON object
                                      representable in YAML or JSON form.
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                            type: object
                          type: array
                        exclude:
                          description: ExcludeResources defines when this policy rule
                            should not be applied. The exclude criteria can include
                            resource information (e.g. kind, name, namespace, labels)
                            and admission review request information like the name
                            or role.
                          properties:
                            all:
                              description: All allows specifying resources which will
                                be ANDed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: Annotations is a  map of annotations
                                          (key-value pairs of type string). Annotation
                                          keys and values support the wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: 'Name is the name of the resource.
                                          The name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character). NOTE: "Name" is
                                          being deprecated in favor of "Names".'
                                        type: string
                                      names:
                                        description: Names are the names of the resources.
                                          Each name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: 'NamespaceSelector is a label
                                          selector for the resource namespace. Label
                                          keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character).Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: Namespaces is a list of namespaces
                                          names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: 'Selector is a label selector.
                                          Label keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character). Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: Subject contains a reference to
                                        the object or user identities a role binding
                                        applies to.  This can either hold a direct
                                        API object reference, or a value for non-objects
                                        such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: APIGroup holds the API group
                                            of the referenced subject. Defaults to
                                            "" for ServiceAccount subjects. Defaults
                                            to "rbac.authorization.k8s.io" for User
                                            and Group subjects.
                                          type: string
                                        kind:
                                          description: Kind of object being referenced.
                                            Values defined by this API group are "User",
                                            "Group", and "ServiceAccount". If the
                                            Authorizer does not recognized the kind
                                            value, the Authorizer should report an
                                            error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: Namespace of the referenced
                                            object.  If the object kind is non-namespace,
                                            such as "User" or "Group", and this value
                                            is not empty the Authorizer should report
                                            an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            any:
                              description: Any allows specifying resources which will
                                be ORed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: Annotations is a  map of annotations
                                          (key-value pairs of type string). Annotation
                                          keys and values support the wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: 'Name is the name of the resource.
                                          The name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character). NOTE: "Name" is
                                          being deprecated in favor of "Names".'
                                        type: string
                                      names:
                                        description: Names are the names of the resources.
                                          Each name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: 'NamespaceSelector is a label
                                          selector for the resource namespace. Label
                                          keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character).Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: Namespaces is a list of namespaces
                                          names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: 'Selector is a label selector.
                                          Label keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character). Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: Subject contains a reference to
                                        the object or user identities a role binding
                                        applies to.  This can either hold a direct
                                        API object reference, or a value for non-objects
                                        such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: APIGroup holds the API group
                                            of the referenced subject. Defaults to
                                            "" for ServiceAccount subjects. Defaults
                                            to "rbac.authorization.k8s.io" for User
                                            and Group subjects.
                                          type: string
                                        kind:
                                          description: Kind of object being referenced.
                                            Values defined by this API group are "User",
                                            "Group", and "ServiceAccount". If the
                                            Authorizer does not recognized the kind
                                            value, the Authorizer should report an
                                            error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: Namespace of the referenced
                                            object.  If the object kind is non-namespace,
                                            such as "User" or "Group", and this value
                                            is not empty the Authorizer should report
                                            an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            clusterRoles:
                              description: ClusterRoles is the list of cluster-wide
                                role names for the user.
                              items:
                                type: string
                              type: array
                            resources:
                              description: ResourceDescription contains information
                                about the resource being created or modified. Requires
                                at least one tag to be specified when under MatchResources.
                                Specifying ResourceDescription directly under match
                                is being deprecated. Please specify under "any" or
                                "all" instead.
                              properties:
                                annotations:
                                  additionalProperties:
                                    type: string
                                  description: Annotations is a  map of annotations
                                    (key-value pairs of type string). Annotation keys
                                    and values support the wildcard characters "*"
                                    (matches zero or many characters) and "?" (matches
                                    at least one character).
                                  type: object
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                name:
                                  description: 'Name is the name of the resource.
                                    The name supports wildcard characters "*" (matches
                                    zero or many characters) and "?" (at least one
                                    character). NOTE: "Name" is being deprecated in
                                    favor of "Names".'
                                  type: string
                                names:
                                  description: Names are the names of the resources.
                                    Each name supports wildcard characters "*" (matches
                                    zero or many characters) and "?" (at least one
                                    character).
                                  items:
                                    type: string
                                  type: array
                                namespaceSelector:
                                  description: 'NamespaceSelector is a label selector
                                    for the resource namespace. Label keys and values
                                    in `matchLabels` support the wildcard characters
                                    `*` (matches zero or many characters) and `?`
                                    (matches one character).Wildcards allows writing
                                    label selectors like ["storage.k8s.io/*": "*"].
                                    Note that using ["*" : "*"] matches any key and
                                    value but does not match an empty label set.'
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: A label selector requirement
                                          is a selector that contains values, a key,
                                          and an operator that relates the key and
                                          values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: operator represents a key's
                                              relationship to a set of values. Valid
                                              operators are In, NotIn, Exists and
                                              DoesNotExist.
                                            type: string
                                          values:
                                            description: values is an array of string
                                              values. If the operator is In or NotIn,
                                              the values array must be non-empty.
                                              If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This
                                              array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: matchLabels is a map of {key,value}
                                        pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions,
                                        whose key field is "key", the operator is
                                        "In", and the values array contains only "value".
                                        The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                                namespaces:
                                  description: Namespaces is a list of namespaces
                                    names. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?"
                                    (at least one character).
                                  items:
                                    type: string
                                  type: array
                                operations:
                                  description: Operations can contain values ["CREATE,
                                    "UPDATE", "CONNECT", "DELETE"], which are used
                                    to match a specific action.
                                  items:
                                    description: AdmissionOperation can have one of
                                      the values CREATE, UPDATE, CONNECT, DELETE,
                                      which are used to match a specific action.
                                    enum:
                                    - CREATE
                                    - CONNECT
                                    - UPDATE
                                    - DELETE
                                    type: string
                                  type: array
                                selector:
                                  description: 'Selector is a label selector. Label
                                    keys and values in `matchLabels` support the wildcard
                                    characters `*` (matches zero or many characters)
                                    and `?` (matches one character). Wildcards allows
                                    writing label selectors like ["storage.k8s.io/*":
                                    "*"]. Note that using ["*" : "*"] matches any
                                    key and value but does not match an empty label
                                    set.'
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: A label selector requirement
                                          is a selector that contains values, a key,
                                          and an operator that relates the key and
                                          values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: operator represents a key's
                                              relationship to a set of values. Valid
                                              operators are In, NotIn, Exists and
                                              DoesNotExist.
                                            type: string
                                          values:
                                            description: values is an array of string
                                              values. If the operator is In or NotIn,
                                              the values array must be non-empty.
                                              If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This
                                              array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: matchLabels is a map of {key,value}
                                        pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions,
                                        whose key field is "key", the operator is
                                        "In", and the values array contains only "value".
                                        The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            roles:
                              description: Roles is the list of namespaced role names
                                for the user.
                              items:
                                type: string
                              type: array
                            subjects:
                              description: Subjects is the list of subject names like
                                users, user groups, and service accounts.
                              items:
                                description: Subject contains a reference to the object
                                  or user identities a role binding applies to.  This
                                  can either hold a direct API object reference, or
                                  a value for non-objects such as user and group names.
                                properties:
                                  apiGroup:
                                    description: APIGroup holds the API group of the
                                      referenced subject. Defaults to "" for ServiceAccount
                                      subjects. Defaults to "rbac.authorization.k8s.io"
                                      for User and Group subjects.
                                    type: string
                                  kind:
                                    description: Kind of object being referenced.
                                      Values defined by this API group are "User",
                                      "Group", and "ServiceAccount". If the Authorizer
                                      does not recognized the kind value, the Authorizer
                                      should report an error.
                                    type: string
                                  name:
                                    description: Name of the object being referenced.
                                    type: string
                                  namespace:
                                    description: Namespace of the referenced object.  If
                                      the object kind is non-namespace, such as "User"
                                      or "Group", and this value is not empty the
                                      Authorizer should report an error.
                                    type: string
                                required:
                                - kind
                                - name
                                type: object
                                x-kubernetes-map-type: atomic
                              type: array
                          type: object
                        generate:
                          description: Generation is used to create new resources.
                          properties:
                            apiVersion:
                              description: APIVersion specifies resource apiVersion.
                              type: string
                            clone:
                              description: Clone specifies the source resource used
                                to populate each generated resource. At most one of
                                Data or Clone can be specified. If neither are provided,
                                the generated resource will be created with default
                                data only.
                              properties:
                                name:
                                  description: Name specifies name of the resource.
                                  type: string
                                namespace:
                                  description: Namespace specifies source resource
                                    namespace.
                                  type: string
                              type: object
                            cloneList:
                              description: CloneList specifies the list of source
                                resource used to populate each generated resource.
                              properties:
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                namespace:
                                  description: Namespace specifies source resource
                                    namespace.
                                  type: string
                                selector:
                                  description: Selector is a label selector. Label
                                    keys and values in `matchLabels`. wildcard characters
                                    are not supported.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: A label selector requirement
                                          is a selector that contains values, a key,
                                          and an operator that relates the key and
                                          values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: operator represents a key's
                                              relationship to a set of values. Valid
                                              operators are In, NotIn, Exists and
                                              DoesNotExist.
                                            type: string
                                          values:
                                            description: values is an array of string
                                              values. If the operator is In or NotIn,
                                              the values array must be non-empty.
                                              If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This
                                              array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: matchLabels is a map of {key,value}
                                        pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions,
                                        whose key field is "key", the operator is
                                        "In", and the values array contains only "value".
                                        The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            data:
                              description: Data provides the resource declaration
                                used to populate each generated resource. At most
                                one of Data or Clone must be specified. If neither
                                are provided, the generated resource will be created
                                with default data only.
                              x-kubernetes-preserve-unknown-fields: true
                            kind:
                              description: Kind specifies resource kind.
                              type: string
                            name:
                              description: Name specifies the resource name.
                              type: string
                            namespace:
                              description: Namespace specifies resource namespace.
                              type: string
                            synchronize:
                              description: Synchronize controls if generated resources
                                should be kept in-sync with their source resource.
                                If Synchronize is set to "true" changes to generated
                                resources will be overwritten with resource data from
                                Data or the resource specified in the Clone declaration.
                                Optional. Defaults to "false" if not specified.
                              type: boolean
                          type: object
                        imageExtractors:
                          additionalProperties:
                            items:
                              properties:
                                jmesPath:
                                  description: 'JMESPath is an optional JMESPath expression
                                    to apply to the image value. This is useful when
                                    the extracted image begins with a prefix like
                                    ''docker://''. The ''trim_prefix'' function may
                                    be used to trim the prefix: trim_prefix(@, ''docker://'').
                                    Note - Image digest mutation may not be used when
                                    applying a JMESPAth to an image.'
                                  type: string
                                key:
                                  description: Key is an optional name of the field
                                    within 'path' that will be used to uniquely identify
                                    an image. Note - this field MUST be unique.
                                  type: string
                                name:
                                  description: Name is the entry the image will be
                                    available under 'images.<name>' in the context.
                                    If this field is not defined, image entries will
                                    appear under 'images.custom'.
                                  type: string
                                path:
                                  description: Path is the path to the object containing
                                    the image field in a custom resource. It should
                                    be slash-separated. Each slash-separated key must
                                    be a valid YAML key or a wildcard '*'. Wildcard
                                    keys are expanded in case of arrays or objects.
                                  type: string
                                value:
                                  description: Value is an optional name of the field
                                    within 'path' that points to the image URI. This
                                    is useful when a custom 'key' is also defined.
                                  type: string
                              required:
                              - path
                              type: object
                            type: array
                          description: ImageExtractors defines a mapping from kinds
                            to ImageExtractorConfigs. This config is only valid for
                            verifyImages rules.
                          type: object
                        match:
                          description: MatchResources defines when this policy rule
                            should be applied. The match criteria can include resource
                            information (e.g. kind, name, namespace, labels) and admission
                            review request information like the user name or role.
                            At least one kind is required.
                          properties:
                            all:
                              description: All allows specifying resources which will
                                be ANDed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: Annotations is a  map of annotations
                                          (key-value pairs of type string). Annotation
                                          keys and values support the wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: 'Name is the name of the resource.
                                          The name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character). NOTE: "Name" is
                                          being deprecated in favor of "Names".'
                                        type: string
                                      names:
                                        description: Names are the names of the resources.
                                          Each name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: 'NamespaceSelector is a label
                                          selector for the resource namespace. Label
                                          keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character).Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: Namespaces is a list of namespaces
                                          names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: 'Selector is a label selector.
                                          Label keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character). Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: Subject contains a reference to
                                        the object or user identities a role binding
                                        applies to.  This can either hold a direct
                                        API object reference, or a value for non-objects
                                        such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: APIGroup holds the API group
                                            of the referenced subject. Defaults to
                                            "" for ServiceAccount subjects. Defaults
                                            to "rbac.authorization.k8s.io" for User
                                            and Group subjects.
                                          type: string
                                        kind:
                                          description: Kind of object being referenced.
                                            Values defined by this API group are "User",
                                            "Group", and "ServiceAccount". If the
                                            Authorizer does not recognized the kind
                                            value, the Authorizer should report an
                                            error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: Namespace of the referenced
                                            object.  If the object kind is non-namespace,
                                            such as "User" or "Group", and this value
                                            is not empty the Authorizer should report
                                            an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            any:
                              description: Any allows specifying resources which will
                                be ORed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: Annotations is a  map of annotations
                                          (key-value pairs of type string). Annotation
                                          keys and values support the wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: 'Name is the name of the resource.
                                          The name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character). NOTE: "Name" is
                                          being deprecated in favor of "Names".'
                                        type: string
                                      names:
                                        description: Names are the names of the resources.
                                          Each name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: 'NamespaceSelector is a label
                                          selector for the resource namespace. Label
                                          keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character).Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: Namespaces is a list of namespaces
                                          names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: 'Selector is a label selector.
                                          Label keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character). Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: Subject contains a reference to
                                        the object or user identities a role binding
                                        applies to.  This can either hold a direct
                                        API object reference, or a value for non-objects
                                        such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: APIGroup holds the API group
                                            of the referenced subject. Defaults to
                                            "" for ServiceAccount subjects. Defaults
                                            to "rbac.authorization.k8s.io" for User
                                            and Group subjects.
                                          type: string
                                        kind:
                                          description: Kind of object being referenced.
                                            Values defined by this API group are "User",
                                            "Group", and "ServiceAccount". If the
                                            Authorizer does not recognized the kind
                                            value, the Authorizer should report an
                                            error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: Namespace of the referenced
                                            object.  If the object kind is non-namespace,
                                            such as "User" or "Group", and this value
                                            is not empty the Authorizer should report
                                            an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            clusterRoles:
                              description: ClusterRoles is the list of cluster-wide
                                role names for the user.
                              items:
                                type: string
                              type: array
                            resources:
                              description: ResourceDescription contains information
                                about the resource being created or modified. Requires
                                at least one tag to be specified when under MatchResources.
                                Specifying ResourceDescription directly under match
                                is being deprecated. Please specify under "any" or
                                "all" instead.
                              properties:
                                annotations:
                                  additionalProperties:
                                    type: string
                                  description: Annotations is a  map of annotations
                                    (key-value pairs of type string). Annotation keys
                                    and values support the wildcard characters "*"
                                    (matches zero or many characters) and "?" (matches
                                    at least one character).
                                  type: object
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                name:
                                  description: 'Name is the name of the resource.
                                    The name supports wildcard characters "*" (matches
                                    zero or many characters) and "?" (at least one
                                    character). NOTE: "Name" is being deprecated in
                                    favor of "Names".'
                                  type: string
                                names:
                                  description: Names are the names of the resources.
                                    Each name supports wildcard characters "*" (matches
                                    zero or many characters) and "?" (at least one
                                    character).
                                  items:
                                    type: string
                                  type: array
                                namespaceSelector:
                                  description: 'NamespaceSelector is a label selector
                                    for the resource namespace. Label keys and values
                                    in `matchLabels` support the wildcard characters
                                    `*` (matches zero or many characters) and `?`
                                    (matches one character).Wildcards allows writing
                                    label selectors like ["storage.k8s.io/*": "*"].
                                    Note that using ["*" : "*"] matches any key and
                                    value but does not match an empty label set.'
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: A label selector requirement
                                          is a selector that contains values, a key,
                                          and an operator that relates the key and
                                          values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: operator represents a key's
                                              relationship to a set of values. Valid
                                              operators are In, NotIn, Exists and
                                              DoesNotExist.
                                            type: string
                                          values:
                                            description: values is an array of string
                                              values. If the operator is In or NotIn,
                                              the values array must be non-empty.
                                              If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This
                                              array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: matchLabels is a map of {key,value}
                                        pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions,
                                        whose key field is "key", the operator is
                                        "In", and the values array contains only "value".
                                        The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                                namespaces:
                                  description: Namespaces is a list of namespaces
                                    names. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?"
                                    (at least one character).
                                  items:
                                    type: string
                                  type: array
                                operations:
                                  description: Operations can contain values ["CREATE,
                                    "UPDATE", "CONNECT", "DELETE"], which are used
                                    to match a specific action.
                                  items:
                                    description: AdmissionOperation can have one of
                                      the values CREATE, UPDATE, CONNECT, DELETE,
                                      which are used to match a specific action.
                                    enum:
                                    - CREATE
                                    - CONNECT
                                    - UPDATE
                                    - DELETE
                                    type: string
                                  type: array
                                selector:
                                  description: 'Selector is a label selector. Label
                                    keys and values in `matchLabels` support the wildcard
                                    characters `*` (matches zero or many characters)
                                    and `?` (matches one character). Wildcards allows
                                    writing label selectors like ["storage.k8s.io/*":
                                    "*"]. Note that using ["*" : "*"] matches any
                                    key and value but does not match an empty label
                                    set.'
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: A label selector requirement
                                          is a selector that contains values, a key,
                                          and an operator that relates the key and
                                          values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: operator represents a key's
                                              relationship to a set of values. Valid
                                              operators are In, NotIn, Exists and
                                              DoesNotExist.
                                            type: string
                                          values:
                                            description: values is an array of string
                                              values. If the operator is In or NotIn,
                                              the values array must be non-empty.
                                              If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This
                                              array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: matchLabels is a map of {key,value}
                                        pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions,
                                        whose key field is "key", the operator is
                                        "In", and the values array contains only "value".
                                        The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            roles:
                              description: Roles is the list of namespaced role names
                                for the user.
                              items:
                                type: string
                              type: array
                            subjects:
                              description: Subjects is the list of subject names like
                                users, user groups, and service accounts.
                              items:
                                description: Subject contains a reference to the object
                                  or user identities a role binding applies to.  This
                                  can either hold a direct API object reference, or
                                  a value for non-objects such as user and group names.
                                properties:
                                  apiGroup:
                                    description: APIGroup holds the API group of the
                                      referenced subject. Defaults to "" for ServiceAccount
                                      subjects. Defaults to "rbac.authorization.k8s.io"
                                      for User and Group subjects.
                                    type: string
                                  kind:
                                    description: Kind of object being referenced.
                                      Values defined by this API group are "User",
                                      "Group", and "ServiceAccount". If the Authorizer
                                      does not recognized the kind value, the Authorizer
                                      should report an error.
                                    type: string
                                  name:
                                    description: Name of the object being referenced.
                                    type: string
                                  namespace:
                                    description: Namespace of the referenced object.  If
                                      the object kind is non-namespace, such as "User"
                                      or "Group", and this value is not empty the
                                      Authorizer should report an error.
                                    type: string
                                required:
                                - kind
                                - name
                                type: object
                                x-kubernetes-map-type: atomic
                              type: array
                          type: object
                        mutate:
                          description: Mutation is used to modify matching resources.
                          properties:
                            foreach:
                              description: ForEach applies mutation rules to a list
                                of sub-elements by creating a context for each entry
                                in the list and looping over it to apply the specified
                                logic.
                              items:
                                description: ForEachMutation applies mutation rules
                                  to a list of sub-elements by creating a context
                                  for each entry in the list and looping over it to
                                  apply the specified logic.
                                properties:
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: ContextEntry adds variables and
                                        data sources to a rule Context. Either a ConfigMap
                                        reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: APICall is an HTTP request
                                            to the Kubernetes API server, or other
                                            JSON web service. The data returned is
                                            stored in the context with the name for
                                            the context entry.
                                          properties:
                                            data:
                                              description: Data specifies the POST
                                                data sent to the server.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the JSON response
                                                returned from the server. For example
                                                a JMESPath of "items | length(@)"
                                                applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments"
                                                will return the total count of deployments
                                                across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST).
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: Service is an API call
                                                to a JSON web service
                                              properties:
                                                caBundle:
                                                  description: CABundle is a PEM encoded
                                                    CA bundle which will be used to
                                                    validate the server certificate.
                                                  type: string
                                                url:
                                                  description: URL is the JSON web
                                                    service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: URLPath is the URL path
                                                to be used in the HTTP GET or POST
                                                request to the Kubernetes API server
                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format
                                                used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        imageRegistry:
                                          description: ImageRegistry defines requests
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry
                                                  type: boolean
                                                providers:
                                                  description: 'Providers specifies
                                                    a list of OCI Registry names,
                                                    whose authentication providers
                                                    are provided It can be of one
                                                    of these values: AWS, ACR, GCP,
                                                    GHCR'
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: Secrets specifies a
                                                    list of secrets that are provided
                                                    for credentials Secrets must live
                                                    in the Kyverno namespace
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the ImageData struct
                                                returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: 'Reference is image reference
                                                to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest'
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: Default is an optional
                                                arbitrary JSON object that the variable
                                                may take if the JMESPath expression
                                                evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JMESPath Expression that can be used
                                                to transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  foreach:
                                    description: Foreach declares a nested foreach
                                      iterator
                                    x-kubernetes-preserve-unknown-fields: true
                                  list:
                                    description: List specifies a JMESPath expression
                                      that results in one or more elements to which
                                      the validation logic is applied.
                                    type: string
                                  order:
                                    description: Order defines the iteration order
                                      on the list. Can be Ascending to iterate from
                                      first to last element or Descending to iterate
                                      in from last to first element.
                                    enum:
                                    - Ascending
                                    - Descending
                                    type: string
                                  patchStrategicMerge:
                                    description: PatchStrategicMerge is a strategic
                                      merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                                    x-kubernetes-preserve-unknown-fields: true
                                  patchesJson6902:
                                    description: PatchesJSON6902 is a list of RFC
                                      6902 JSON Patch declarations used to modify
                                      resources. See https://tools.ietf.org/html/rfc6902
                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                                    type: string
                                  preconditions:
                                    description: 'AnyAllConditions are used to determine
                                      if a policy rule should be applied by evaluating
                                      a set of conditions. The declaration can contain
                                      nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
                                    properties:
                                      all:
                                        description: AllConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, all of the conditions
                                          need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: AnyConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, at least one of
                                          the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              type: array
                            patchStrategicMerge:
                              description: PatchStrategicMerge is a strategic merge
                                patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                              x-kubernetes-preserve-unknown-fields: true
                            patchesJson6902:
                              description: PatchesJSON6902 is a list of RFC 6902 JSON
                                Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                              type: string
                            targets:
                              description: Targets defines the target resources to
                                be mutated.
                              items:
                                description: TargetResourceSpec defines targets for
                                  mutating existing resources.
                                properties:
                                  apiVersion:
                                    description: APIVersion specifies resource apiVersion.
                                    type: string
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: ContextEntry adds variables and
                                        data sources to a rule Context. Either a ConfigMap
                                        reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: APICall is an HTTP request
                                            to the Kubernetes API server, or other
                                            JSON web service. The data returned is
                                            stored in the context with the name for
                                            the context entry.
                                          properties:
                                            data:
                                              description: Data specifies the POST
                                                data sent to the server.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the JSON response
                                                returned from the server. For example
                                                a JMESPath of "items | length(@)"
                                                applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments"
                                                will return the total count of deployments
                                                across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST).
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: Service is an API call
                                                to a JSON web service
                                              properties:
                                                caBundle:
                                                  description: CABundle is a PEM encoded
                                                    CA bundle which will be used to
                                                    validate the server certificate.
                                                  type: string
                                                url:
                                                  description: URL is the JSON web
                                                    service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: URLPath is the URL path
                                                to be used in the HTTP GET or POST
                                                request to the Kubernetes API server
                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format
                                                used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        imageRegistry:
                                          description: ImageRegistry defines requests
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry
                                                  type: boolean
                                                providers:
                                                  description: 'Providers specifies
                                                    a list of OCI Registry names,
                                                    whose authentication providers
                                                    are provided It can be of one
                                                    of these values: AWS, ACR, GCP,
                                                    GHCR'
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: Secrets specifies a
                                                    list of secrets that are provided
                                                    for credentials Secrets must live
                                                    in the Kyverno namespace
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the ImageData struct
                                                returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: 'Reference is image reference
                                                to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest'
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: Default is an optional
                                                arbitrary JSON object that the variable
                                                may take if the JMESPath expression
                                                evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JMESPath Expression that can be used
                                                to transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  kind:
                                    description: Kind specifies resource kind.
                                    type: string
                                  name:
                                    description: Name specifies the resource name.
                                    type: string
                                  namespace:
                                    description: Namespace specifies resource namespace.
                                    type: string
                                  preconditions:
                                    description: 'Preconditions are used to determine
                                      if a policy rule should be applied by evaluating
                                      a set of conditions. The declaration can contain
                                      nested `any` or `all` statements. A direct list
                                      of conditions (without `any` or `all` statements
                                      is supported for backwards compatibility but
                                      will be deprecated in the next major release.
                                      See: https://kyverno.io/docs/writing-policies/preconditions/'
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              type: array
                          type: object
                        name:
                          description: Name is a label to identify the rule, It must
                            be unique within the policy.
                          maxLength: 63
                          type: string
                        preconditions:
                          description: 'Preconditions are used to determine if a policy
                            rule should be applied by evaluating a set of conditions.
                            The declaration can contain nested `any` or `all` statements.
                            A direct list of conditions (without `any` or `all` statements
                            is supported for backwards compatibility but will be deprecated
                            in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
                          x-kubernetes-preserve-unknown-fields: true
                        validate:
                          description: Validation is used to validate matching resources.
                          properties:
                            anyPattern:
                              description: AnyPattern specifies list of validation
                                patterns. At least one of the patterns must be satisfied
                                for the validation rule to succeed.
                              x-kubernetes-preserve-unknown-fields: true
                            cel:
                              description: CEL allows validation checks using the
                                Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
                              properties:
                                auditAnnotations:
                                  description: AuditAnnotations contains CEL expressions
                                    which are used to produce audit annotations for
                                    the audit event of the API request.
                                  items:
                                    description: AuditAnnotation describes how to
                                      produce an audit annotation for an API request.
                                    properties:
                                      key:
                                        description: "key specifies the audit annotation
                                          key. The audit annotation keys of a ValidatingAdmissionPolicy
                                          must be unique. The key must be a qualified
                                          name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more
                                          than 63 bytes in length. \n The key is combined
                                          with the resource name of the ValidatingAdmissionPolicy
                                          to construct an audit annotation key: \"{ValidatingAdmissionPolicy
                                          name}/{key}\". \n If an admission webhook
                                          uses the same resource name as this ValidatingAdmissionPolicy
                                          and the same audit annotation key, the annotation
                                          key will be identical. In this case, the
                                          first annotation written with the key will
                                          be included in the audit event and all subsequent
                                          annotations with the same key will be discarded.
                                          \n Required."
                                        type: string
                                      valueExpression:
                                        description: "valueExpression represents the
                                          expression which is evaluated by CEL to
                                          produce an audit annotation value. The expression
                                          must evaluate to either a string or null
                                          value. If the expression evaluates to a
                                          string, the audit annotation is included
                                          with the string value. If the expression
                                          evaluates to null or empty string the audit
                                          annotation will be omitted. The valueExpression
                                          may be no longer than 5kb in length. If
                                          the result of the valueExpression is more
                                          than 10kb in length, it will be truncated
                                          to 10kb. \n If multiple ValidatingAdmissionPolicyBinding
                                          resources match an API request, then the
                                          valueExpression will be evaluated for each
                                          binding. All unique values produced by the
                                          valueExpressions will be joined together
                                          in a comma-separated list. \n Required."
                                        type: string
                                    required:
                                    - key
                                    - valueExpression
                                    type: object
                                  type: array
                                expressions:
                                  description: Expressions is a list of CELExpression
                                    types.
                                  items:
                                    description: Validation specifies the CEL expression
                                      which is used to apply the validation.
                                    properties:
                                      expression:
                                        description: "Expression represents the expression
                                          which will be evaluated by CEL. ref: https://github.com/google/cel-spec
                                          CEL expressions have access to the contents
                                          of the API request/response, organized into
                                          CEL variables as well as some other useful
                                          variables: \n - 'object' - The object from
                                          the incoming request. The value is null
                                          for DELETE requests. - 'oldObject' - The
                                          existing object. The value is null for CREATE
                                          requests. - 'request' - Attributes of the
                                          API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
                                          - 'params' - Parameter resource referred
                                          to by the policy binding being evaluated.
                                          Only populated if the policy has a ParamKind.
                                          - 'authorizer' - A CEL Authorizer. May be
                                          used to perform authorization checks for
                                          the principal (user or service account)
                                          of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                                          - 'authorizer.requestResource' - A CEL ResourceCheck
                                          constructed from the 'authorizer' and configured
                                          with the request resource. \n The `apiVersion`,
                                          `kind`, `metadata.name` and `metadata.generateName`
                                          are always accessible from the root of the
                                          object. No other metadata properties are
                                          accessible. \n Only property names of the
                                          form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are
                                          accessible. Accessible property names are
                                          escaped according to the following rules
                                          when accessed in the expression: - '__'
                                          escapes to '__underscores__' - '.' escapes
                                          to '__dot__' - '-' escapes to '__dash__'
                                          - '/' escapes to '__slash__' - Property
                                          names that exactly match a CEL RESERVED
                                          keyword escape to '__{keyword}__'. The keywords
                                          are: \"true\", \"false\", \"null\", \"in\",
                                          \"as\", \"break\", \"const\", \"continue\",
                                          \"else\", \"for\", \"function\", \"if\",
                                          \"import\", \"let\", \"loop\", \"package\",
                                          \"namespace\", \"return\". Examples: - Expression
                                          accessing a property named \"namespace\":
                                          {\"Expression\": \"object.__namespace__
                                          > 0\"} - Expression accessing a property
                                          named \"x-prop\": {\"Expression\": \"object.x__dash__prop
                                          > 0\"} - Expression accessing a property
                                          named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
                                          > 0\"} \n Equality on arrays with list type
                                          of 'set' or 'map' ignores element order,
                                          i.e. [1, 2] == [2, 1]. Concatenation on
                                          arrays with x-kubernetes-list-type use the
                                          semantics of the list type: - 'set': `X
                                          + Y` performs a union where the array positions
                                          of all elements in `X` are preserved and
                                          non-intersecting elements in `Y` are appended,
                                          retaining their partial order. - 'map':
                                          `X + Y` performs a merge where the array
                                          positions of all keys in `X` are preserved
                                          but the values are overwritten by values
                                          in `Y` when the key sets of `X` and `Y`
                                          intersect. Elements in `Y` with non-intersecting
                                          keys are appended, retaining their partial
                                          order. Required."
                                        type: string
                                      message:
                                        description: 'Message represents the message
                                          displayed when validation fails. The message
                                          is required if the Expression contains line
                                          breaks. The message must not contain line
                                          breaks. If unset, the message is "failed
                                          rule: {Rule}". e.g. "must be a URL with
                                          the host matching spec.host" If the Expression
                                          contains line breaks. Message is required.
                                          The message must not contain line breaks.
                                          If unset, the message is "failed Expression:
                                          {Expression}".'
                                        type: string
                                      messageExpression:
                                        description: 'messageExpression declares a
                                          CEL expression that evaluates to the validation
                                          failure message that is returned when this
                                          rule fails. Since messageExpression is used
                                          as a failure message, it must evaluate to
                                          a string. If both message and messageExpression
                                          are present on a validation, then messageExpression
                                          will be used if validation fails. If messageExpression
                                          results in a runtime error, the runtime
                                          error is logged, and the validation failure
                                          message is produced as if the messageExpression
                                          field were unset. If messageExpression evaluates
                                          to an empty string, a string with only spaces,
                                          or a string that contains line breaks, then
                                          the validation failure message will also
                                          be produced as if the messageExpression
                                          field were unset, and the fact that messageExpression
                                          produced an empty string/string with only
                                          spaces/string with line breaks will be logged.
                                          messageExpression has access to all the
                                          same variables as the `expression` except
                                          for ''authorizer'' and ''authorizer.requestResource''.
                                          Example: "object.x must be less than max
                                          ("+string(params.max)+")"'
                                        type: string
                                      reason:
                                        description: 'Reason represents a machine-readable
                                          description of why this validation failed.
                                          If this is the first validation in the list
                                          to fail, this reason, as well as the corresponding
                                          HTTP response code, are used in the HTTP
                                          response to the client. The currently supported
                                          reasons are: "Unauthorized", "Forbidden",
                                          "Invalid", "RequestEntityTooLarge". If not
                                          set, StatusReasonInvalid is used in the
                                          response to the client.'
                                        type: string
                                    required:
                                    - expression
                                    type: object
                                  type: array
                                paramKind:
                                  description: ParamKind is a tuple of Group Kind
                                    and Version.
                                  properties:
                                    apiVersion:
                                      description: APIVersion is the API group version
                                        the resources belong to. In format of "group/version".
                                        Required.
                                      type: string
                                    kind:
                                      description: Kind is the API kind the resources
                                        belong to. Required.
                                      type: string
                                  type: object
                                  x-kubernetes-map-type: atomic
                                paramRef:
                                  description: ParamRef references a parameter resource.
                                  properties:
                                    name:
                                      description: Name of the resource being referenced.
                                      type: string
                                    namespace:
                                      description: Namespace of the referenced resource.
                                        Should be empty for the cluster-scoped resources
                                      type: string
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            deny:
                              description: Deny defines conditions used to pass or
                                fail a validation rule.
                              properties:
                                conditions:
                                  description: 'Multiple conditions can be declared
                                    under an `any` or `all` statement. A direct list
                                    of conditions (without `any` or `all` statements)
                                    is also supported for backwards compatibility
                                    but will be deprecated in the next major release.
                                    See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
                                  x-kubernetes-preserve-unknown-fields: true
                              type: object
                            foreach:
                              description: ForEach applies validate rules to a list
                                of sub-elements by creating a context for each entry
                                in the list and looping over it to apply the specified
                                logic.
                              items:
                                description: ForEachValidation applies validate rules
                                  to a list of sub-elements by creating a context
                                  for each entry in the list and looping over it to
                                  apply the specified logic.
                                properties:
                                  anyPattern:
                                    description: AnyPattern specifies list of validation
                                      patterns. At least one of the patterns must
                                      be satisfied for the validation rule to succeed.
                                    x-kubernetes-preserve-unknown-fields: true
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: ContextEntry adds variables and
                                        data sources to a rule Context. Either a ConfigMap
                                        reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: APICall is an HTTP request
                                            to the Kubernetes API server, or other
                                            JSON web service. The data returned is
                                            stored in the context with the name for
                                            the context entry.
                                          properties:
                                            data:
                                              description: Data specifies the POST
                                                data sent to the server.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the JSON response
                                                returned from the server. For example
                                                a JMESPath of "items | length(@)"
                                                applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments"
                                                will return the total count of deployments
                                                across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST).
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: Service is an API call
                                                to a JSON web service
                                              properties:
                                                caBundle:
                                                  description: CABundle is a PEM encoded
                                                    CA bundle which will be used to
                                                    validate the server certificate.
                                                  type: string
                                                url:
                                                  description: URL is the JSON web
                                                    service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: URLPath is the URL path
                                                to be used in the HTTP GET or POST
                                                request to the Kubernetes API server
                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format
                                                used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        imageRegistry:
                                          description: ImageRegistry defines requests
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry
                                                  type: boolean
                                                providers:
                                                  description: 'Providers specifies
                                                    a list of OCI Registry names,
                                                    whose authentication providers
                                                    are provided It can be of one
                                                    of these values: AWS, ACR, GCP,
                                                    GHCR'
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: Secrets specifies a
                                                    list of secrets that are provided
                                                    for credentials Secrets must live
                                                    in the Kyverno namespace
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the ImageData struct
                                                returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: 'Reference is image reference
                                                to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest'
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: Default is an optional
                                                arbitrary JSON object that the variable
                                                may take if the JMESPath expression
                                                evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JMESPath Expression that can be used
                                                to transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  deny:
                                    description: Deny defines conditions used to pass
                                      or fail a validation rule.
                                    properties:
                                      conditions:
                                        description: 'Multiple conditions can be declared
                                          under an `any` or `all` statement. A direct
                                          list of conditions (without `any` or `all`
                                          statements) is also supported for backwards
                                          compatibility but will be deprecated in
                                          the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
                                        x-kubernetes-preserve-unknown-fields: true
                                    type: object
                                  elementScope:
                                    description: ElementScope specifies whether to
                                      use the current list element as the scope for
                                      validation. Defaults to "true" if not specified.
                                      When set to "false", "request.object" is used
                                      as the validation scope within the foreach block
                                      to allow referencing other elements in the subtree.
                                    type: boolean
                                  foreach:
                                    description: Foreach declares a nested foreach
                                      iterator
                                    x-kubernetes-preserve-unknown-fields: true
                                  list:
                                    description: List specifies a JMESPath expression
                                      that results in one or more elements to which
                                      the validation logic is applied.
                                    type: string
                                  pattern:
                                    description: Pattern specifies an overlay-style
                                      pattern used to check resources.
                                    x-kubernetes-preserve-unknown-fields: true
                                  preconditions:
                                    description: 'AnyAllConditions are used to determine
                                      if a policy rule should be applied by evaluating
                                      a set of conditions. The declaration can contain
                                      nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
                                    properties:
                                      all:
                                        description: AllConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, all of the conditions
                                          need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: AnyConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, at least one of
                                          the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              type: array
                            manifests:
                              description: Manifest specifies conditions for manifest
                                verification
                              properties:
                                annotationDomain:
                                  description: AnnotationDomain is custom domain of
                                    annotation for message and signature. Default
                                    is "cosign.sigstore.dev".
                                  type: string
                                attestors:
                                  description: Attestors specified the required attestors
                                    (i.e. authorities)
                                  items:
                                    properties:
                                      count:
                                        description: Count specifies the required
                                          number of entries that must match. If the
                                          count is null, all entries must match (a
                                          logical AND). If the count is 1, at least
                                          one entry must match (a logical OR). If
                                          the count contains a value N, then N must
                                          be less than or equal to the size of entries,
                                          and at least N entries must match.
                                        minimum: 1
                                        type: integer
                                      entries:
                                        description: Entries contains the available
                                          attestors. An attestor can be a static key,
                                          attributes for keyless verification, or
                                          a nested attestor declaration.
                                        items:
                                          properties:
                                            annotations:
                                              additionalProperties:
                                                type: string
                                              description: Annotations are used for
                                                image verification. Every specified
                                                key-value pair must exist and match
                                                in the verified payload. The payload
                                                may contain other key-value pairs.
                                              type: object
                                            attestor:
                                              description: Attestor is a nested AttestorSet
                                                used to specify a more complex set
                                                of match authorities
                                              x-kubernetes-preserve-unknown-fields: true
                                            certificates:
                                              description: Certificates specifies
                                                one or more certificates
                                              properties:
                                                cert:
                                                  description: Certificate is an optional
                                                    PEM encoded public certificate.
                                                  type: string
                                                certChain:
                                                  description: CertificateChain is
                                                    an optional PEM encoded set of
                                                    certificates used to verify
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    Rekor is not checked. If an empty
                                                    object is provided the public
                                                    instance of Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                              type: object
                                            keyless:
                                              description: Keyless is a set of attribute
                                                used to verify a Sigstore keyless
                                                attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                              properties:
                                                additionalExtensions:
                                                  additionalProperties:
                                                    type: string
                                                  description: AdditionalExtensions
                                                    are certificate-extensions used
                                                    for keyless signing.
                                                  type: object
                                                issuer:
                                                  description: Issuer is the certificate
                                                    issuer used for keyless signing.
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    Rekor is not checked and a root
                                                    certificate chain is expected
                                                    instead. If an empty object is
                                                    provided the public instance of
                                                    Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                                roots:
                                                  description: Roots is an optional
                                                    set of PEM encoded trusted root
                                                    certificates. If not provided,
                                                    the system roots are used.
                                                  type: string
                                                subject:
                                                  description: Subject is the verified
                                                    identity used for keyless signing,
                                                    for example the email address
                                                  type: string
                                              type: object
                                            keys:
                                              description: Keys specifies one or more
                                                public keys
                                              properties:
                                                kms:
                                                  description: 'KMS provides the URI
                                                    to the public key stored in a
                                                    Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                                  type: string
                                                publicKeys:
                                                  description: Keys is a set of X.509
                                                    public keys used to verify image
                                                    signatures. The keys can be directly
                                                    specified or can be a variable
                                                    reference to a key specified in
                                                    a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
                                                    or reference a standard Kubernetes
                                                    Secret elsewhere in the cluster
                                                    by specifying it in the format
                                                    "k8s://<namespace>/<secret_name>".
                                                    The named Secret must specify
                                                    a key `cosign.pub` containing
                                                    the public key used for verification,
                                                    (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                    When multiple keys are specified
                                                    each key is processed as a separate
                                                    staticKey entry (.attestors[*].entries.keys)
                                                    within the set of attestors and
                                                    the count is applied across the
                                                    keys.
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    or an empty object is provided,
                                                    the public instance of Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                                secret:
                                                  description: Reference to a Secret
                                                    resource that contains a public
                                                    key
                                                  properties:
                                                    name:
                                                      description: Name of the secret.
                                                        The provided secret must contain
                                                        a key named cosign.pub.
                                                      type: string
                                                    namespace:
                                                      description: Namespace name
                                                        where the Secret exists.
                                                      type: string
                                                  required:
                                                  - name
                                                  - namespace
                                                  type: object
                                                signatureAlgorithm:
                                                  default: sha256
                                                  description: Specify signature algorithm
                                                    for public keys. Supported values
                                                    are sha256 and sha512
                                                  type: string
                                              type: object
                                            repository:
                                              description: Repository is an optional
                                                alternate OCI repository to use for
                                                signatures and attestations that match
                                                this rule. If specified Repository
                                                will override other OCI image repository
                                                locations for this Attestor.
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                dryRun:
                                  description: DryRun configuration
                                  properties:
                                    enable:
                                      type: boolean
                                    namespace:
                                      type: string
                                  type: object
                                ignoreFields:
                                  description: Fields which will be ignored while
                                    comparing manifests.
                                  items:
                                    properties:
                                      fields:
                                        items:
                                          type: string
                                        type: array
                                      objects:
                                        items:
                                          properties:
                                            group:
                                              type: string
                                            kind:
                                              type: string
                                            name:
                                              type: string
                                            namespace:
                                              type: string
                                            version:
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                repository:
                                  description: Repository is an optional alternate
                                    OCI repository to use for resource bundle reference.
                                    The repository can be overridden per Attestor
                                    or Attestation.
                                  type: string
                              type: object
                            message:
                              description: Message specifies a custom message to be
                                displayed on failure.
                              type: string
                            pattern:
                              description: Pattern specifies an overlay-style pattern
                                used to check resources.
                              x-kubernetes-preserve-unknown-fields: true
                            podSecurity:
                              description: PodSecurity applies exemptions for Kubernetes
                                Pod Security admission by specifying exclusions for
                                Pod Security Standards controls.
                              properties:
                                exclude:
                                  description: Exclude specifies the Pod Security
                                    Standard controls to be excluded.
                                  items:
                                    description: PodSecurityStandard specifies the
                                      Pod Security Standard controls to be excluded.
                                    properties:
                                      controlName:
                                        description: 'ControlName specifies the name
                                          of the Pod Security Standard control. See:
                                          https://kubernetes.io/docs/concepts/security/pod-security-standards/'
                                        enum:
                                        - HostProcess
                                        - Host Namespaces
                                        - Privileged Containers
                                        - Capabilities
                                        - HostPath Volumes
                                        - Host Ports
                                        - AppArmor
                                        - SELinux
                                        - /proc Mount Type
                                        - Seccomp
                                        - Sysctls
                                        - Volume Types
                                        - Privilege Escalation
                                        - Running as Non-root
                                        - Running as Non-root user
                                        type: string
                                      images:
                                        description: 'Images selects matching containers
                                          and applies the container level PSS. Each
                                          image is the image name consisting of the
                                          registry address, repository, image, and
                                          tag. Empty list matches no containers, PSS
                                          checks are applied at the pod level only.
                                          Wildcards (''*'' and ''?'') are allowed.
                                          See: https://kubernetes.io/docs/concepts/containers/images.'
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - controlName
                                    type: object
                                  type: array
                                level:
                                  description: Level defines the Pod Security Standard
                                    level to be applied to workloads. Allowed values
                                    are privileged, baseline, and restricted.
                                  enum:
                                  - privileged
                                  - baseline
                                  - restricted
                                  type: string
                                version:
                                  description: Version defines the Pod Security Standard
                                    versions that Kubernetes supports. Allowed values
                                    are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
                                    v1.25, v1.26, latest. Defaults to latest.
                                  enum:
                                  - v1.19
                                  - v1.20
                                  - v1.21
                                  - v1.22
                                  - v1.23
                                  - v1.24
                                  - v1.25
                                  - v1.26
                                  - latest
                                  type: string
                              type: object
                          type: object
                        verifyImages:
                          description: VerifyImages is used to verify image signatures
                            and mutate them to add a digest
                          items:
                            description: ImageVerification validates that images that
                              match the specified pattern are signed with the supplied
                              public key. Once the image is verified it is mutated
                              to include the SHA digest retrieved during the registration.
                            properties:
                              additionalExtensions:
                                additionalProperties:
                                  type: string
                                description: AdditionalExtensions are certificate-extensions
                                  used for keyless signing. Deprecated.
                                type: object
                              annotations:
                                additionalProperties:
                                  type: string
                                description: Annotations are used for image verification.
                                  Every specified key-value pair must exist and match
                                  in the verified payload. The payload may contain
                                  other key-value pairs. Deprecated. Use annotations
                                  per Attestor instead.
                                type: object
                              attestations:
                                description: Attestations are optional checks for
                                  signed in-toto Statements used to verify the image.
                                  See https://github.com/in-toto/attestation. Kyverno
                                  fetches signed attestations from the OCI registry
                                  and decodes them into a list of Statement declarations.
                                items:
                                  description: Attestation are checks for signed in-toto
                                    Statements that are used to verify the image.
                                    See https://github.com/in-toto/attestation. Kyverno
                                    fetches signed attestations from the OCI registry
                                    and decodes them into a list of Statements.
                                  properties:
                                    attestors:
                                      description: Attestors specify the required
                                        attestors (i.e. authorities)
                                      items:
                                        properties:
                                          count:
                                            description: Count specifies the required
                                              number of entries that must match. If
                                              the count is null, all entries must
                                              match (a logical AND). If the count
                                              is 1, at least one entry must match
                                              (a logical OR). If the count contains
                                              a value N, then N must be less than
                                              or equal to the size of entries, and
                                              at least N entries must match.
                                            minimum: 1
                                            type: integer
                                          entries:
                                            description: Entries contains the available
                                              attestors. An attestor can be a static
                                              key, attributes for keyless verification,
                                              or a nested attestor declaration.
                                            items:
                                              properties:
                                                annotations:
                                                  additionalProperties:
                                                    type: string
                                                  description: Annotations are used
                                                    for image verification. Every
                                                    specified key-value pair must
                                                    exist and match in the verified
                                                    payload. The payload may contain
                                                    other key-value pairs.
                                                  type: object
                                                attestor:
                                                  description: Attestor is a nested
                                                    AttestorSet used to specify a
                                                    more complex set of match authorities
                                                  x-kubernetes-preserve-unknown-fields: true
                                                certificates:
                                                  description: Certificates specifies
                                                    one or more certificates
                                                  properties:
                                                    cert:
                                                      description: Certificate is
                                                        an optional PEM encoded public
                                                        certificate.
                                                      type: string
                                                    certChain:
                                                      description: CertificateChain
                                                        is an optional PEM encoded
                                                        set of certificates used to
                                                        verify
                                                      type: string
                                                    rekor:
                                                      description: Rekor provides
                                                        configuration for the Rekor
                                                        transparency log service.
                                                        If the value is nil, Rekor
                                                        is not checked. If an empty
                                                        object is provided the public
                                                        instance of Rekor (https://rekor.sigstore.dev)
                                                        is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: IgnoreSCT requires
                                                            that a certificate contain
                                                            an embedded SCT during
                                                            verification. An SCT is
                                                            proof of inclusion in
                                                            a certificate transparency
                                                            log.
                                                          type: boolean
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skip tlog verification
                                                          type: boolean
                                                        pubkey:
                                                          description: RekorPubKey
                                                            is an optional PEM encoded
                                                            public key to use for
                                                            a custom Rekor. If set,
                                                            is used to validate signatures
                                                            on log entries from Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            log https://rekor.sigstore.dev.
                                                          type: string
                                                      required:
                                                      - url
                                                      type: object
                                                  type: object
                                                keyless:
                                                  description: Keyless is a set of
                                                    attribute used to verify a Sigstore
                                                    keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                                  properties:
                                                    additionalExtensions:
                                                      additionalProperties:
                                                        type: string
                                                      description: AdditionalExtensions
                                                        are certificate-extensions
                                                        used for keyless signing.
                                                      type: object
                                                    issuer:
                                                      description: Issuer is the certificate
                                                        issuer used for keyless signing.
                                                      type: string
                                                    rekor:
                                                      description: Rekor provides
                                                        configuration for the Rekor
                                                        transparency log service.
                                                        If the value is nil, Rekor
                                                        is not checked and a root
                                                        certificate chain is expected
                                                        instead. If an empty object
                                                        is provided the public instance
                                                        of Rekor (https://rekor.sigstore.dev)
                                                        is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: IgnoreSCT requires
                                                            that a certificate contain
                                                            an embedded SCT during
                                                            verification. An SCT is
                                                            proof of inclusion in
                                                            a certificate transparency
                                                            log.
                                                          type: boolean
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skip tlog verification
                                                          type: boolean
                                                        pubkey:
                                                          description: RekorPubKey
                                                            is an optional PEM encoded
                                                            public key to use for
                                                            a custom Rekor. If set,
                                                            is used to validate signatures
                                                            on log entries from Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            log https://rekor.sigstore.dev.
                                                          type: string
                                                      required:
                                                      - url
                                                      type: object
                                                    roots:
                                                      description: Roots is an optional
                                                        set of PEM encoded trusted
                                                        root certificates. If not
                                                        provided, the system roots
                                                        are used.
                                                      type: string
                                                    subject:
                                                      description: Subject is the
                                                        verified identity used for
                                                        keyless signing, for example
                                                        the email address
                                                      type: string
                                                  type: object
                                                keys:
                                                  description: Keys specifies one
                                                    or more public keys
                                                  properties:
                                                    kms:
                                                      description: 'KMS provides the
                                                        URI to the public key stored
                                                        in a Key Management System.
                                                        See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                                      type: string
                                                    publicKeys:
                                                      description: Keys is a set of
                                                        X.509 public keys used to
                                                        verify image signatures. The
                                                        keys can be directly specified
                                                        or can be a variable reference
                                                        to a key specified in a ConfigMap
                                                        (see https://kyverno.io/docs/writing-policies/variables/),
                                                        or reference a standard Kubernetes
                                                        Secret elsewhere in the cluster
                                                        by specifying it in the format
                                                        "k8s://<namespace>/<secret_name>".
                                                        The named Secret must specify
                                                        a key `cosign.pub` containing
                                                        the public key used for verification,
                                                        (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                        When multiple keys are specified
                                                        each key is processed as a
                                                        separate staticKey entry (.attestors[*].entries.keys)
                                                        within the set of attestors
                                                        and the count is applied across
                                                        the keys.
                                                      type: string
                                                    rekor:
                                                      description: Rekor provides
                                                        configuration for the Rekor
                                                        transparency log service.
                                                        If the value is nil, or an
                                                        empty object is provided,
                                                        the public instance of Rekor
                                                        (https://rekor.sigstore.dev)
                                                        is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: IgnoreSCT requires
                                                            that a certificate contain
                                                            an embedded SCT during
                                                            verification. An SCT is
                                                            proof of inclusion in
                                                            a certificate transparency
                                                            log.
                                                          type: boolean
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skip tlog verification
                                                          type: boolean
                                                        pubkey:
                                                          description: RekorPubKey
                                                            is an optional PEM encoded
                                                            public key to use for
                                                            a custom Rekor. If set,
                                                            is used to validate signatures
                                                            on log entries from Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            log https://rekor.sigstore.dev.
                                                          type: string
                                                      required:
                                                      - url
                                                      type: object
                                                    secret:
                                                      description: Reference to a
                                                        Secret resource that contains
                                                        a public key
                                                      properties:
                                                        name:
                                                          description: Name of the
                                                            secret. The provided secret
                                                            must contain a key named
                                                            cosign.pub.
                                                          type: string
                                                        namespace:
                                                          description: Namespace name
                                                            where the Secret exists.
                                                          type: string
                                                      required:
                                                      - name
                                                      - namespace
                                                      type: object
                                                    signatureAlgorithm:
                                                      default: sha256
                                                      description: Specify signature
                                                        algorithm for public keys.
                                                        Supported values are sha256
                                                        and sha512
                                                      type: string
                                                  type: object
                                                repository:
                                                  description: Repository is an optional
                                                    alternate OCI repository to use
                                                    for signatures and attestations
                                                    that match this rule. If specified
                                                    Repository will override other
                                                    OCI image repository locations
                                                    for this Attestor.
                                                  type: string
                                              type: object
                                            type: array
                                        type: object
                                      type: array
                                    conditions:
                                      description: Conditions are used to verify attributes
                                        within a Predicate. If no Conditions are specified
                                        the attestation check is satisfied as long
                                        there are predicates that match the predicate
                                        type.
                                      items:
                                        description: AnyAllConditions consists of
                                          conditions wrapped denoting a logical criteria
                                          to be fulfilled. AnyConditions get fulfilled
                                          when at least one of its sub-conditions
                                          passes. AllConditions get fulfilled only
                                          when all of its sub-conditions pass.
                                        properties:
                                          all:
                                            description: AllConditions enable variable-based
                                              conditional rule execution. This is
                                              useful for finer control of when an
                                              rule is applied. A condition can reference
                                              object data using JMESPath notation.
                                              Here, all of the conditions need to
                                              pass
                                            items:
                                              description: Condition defines variable-based
                                                conditional criteria for rule execution.
                                              properties:
                                                key:
                                                  description: Key is the context
                                                    entry (using JMESPath) for conditional
                                                    rule evaluation.
                                                  x-kubernetes-preserve-unknown-fields: true
                                                message:
                                                  description: Message is an optional
                                                    display message
                                                  type: string
                                                operator:
                                                  description: 'Operator is the conditional
                                                    operation to perform. Valid operators
                                                    are: Equals, NotEquals, In, AnyIn,
                                                    AllIn, NotIn, AnyNotIn, AllNotIn,
                                                    GreaterThanOrEquals, GreaterThan,
                                                    LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                    DurationGreaterThan, DurationLessThanOrEquals,
                                                    DurationLessThan'
                                                  enum:
                                                  - Equals
                                                  - NotEquals
                                                  - In
                                                  - AnyIn
                                                  - AllIn
                                                  - NotIn
                                                  - AnyNotIn
                                                  - AllNotIn
                                                  - GreaterThanOrEquals
                                                  - GreaterThan
                                                  - LessThanOrEquals
                                                  - LessThan
                                                  - DurationGreaterThanOrEquals
                                                  - DurationGreaterThan
                                                  - DurationLessThanOrEquals
                                                  - DurationLessThan
                                                  type: string
                                                value:
                                                  description: Value is the conditional
                                                    value, or set of values. The values
                                                    can be fixed set or can be variables
                                                    declared using JMESPath.
                                                  x-kubernetes-preserve-unknown-fields: true
                                              type: object
                                            type: array
                                          any:
                                            description: AnyConditions enable variable-based
                                              conditional rule execution. This is
                                              useful for finer control of when an
                                              rule is applied. A condition can reference
                                              object data using JMESPath notation.
                                              Here, at least one of the conditions
                                              need to pass
                                            items:
                                              description: Condition defines variable-based
                                                conditional criteria for rule execution.
                                              properties:
                                                key:
                                                  description: Key is the context
                                                    entry (using JMESPath) for conditional
                                                    rule evaluation.
                                                  x-kubernetes-preserve-unknown-fields: true
                                                message:
                                                  description: Message is an optional
                                                    display message
                                                  type: string
                                                operator:
                                                  description: 'Operator is the conditional
                                                    operation to perform. Valid operators
                                                    are: Equals, NotEquals, In, AnyIn,
                                                    AllIn, NotIn, AnyNotIn, AllNotIn,
                                                    GreaterThanOrEquals, GreaterThan,
                                                    LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                    DurationGreaterThan, DurationLessThanOrEquals,
                                                    DurationLessThan'
                                                  enum:
                                                  - Equals
                                                  - NotEquals
                                                  - In
                                                  - AnyIn
                                                  - AllIn
                                                  - NotIn
                                                  - AnyNotIn
                                                  - AllNotIn
                                                  - GreaterThanOrEquals
                                                  - GreaterThan
                                                  - LessThanOrEquals
                                                  - LessThan
                                                  - DurationGreaterThanOrEquals
                                                  - DurationGreaterThan
                                                  - DurationLessThanOrEquals
                                                  - DurationLessThan
                                                  type: string
                                                value:
                                                  description: Value is the conditional
                                                    value, or set of values. The values
                                                    can be fixed set or can be variables
                                                    declared using JMESPath.
                                                  x-kubernetes-preserve-unknown-fields: true
                                              type: object
                                            type: array
                                        type: object
                                      type: array
                                    predicateType:
                                      description: PredicateType defines the type
                                        of Predicate contained within the Statement.
                                        Deprecated in favour of 'Type', to be removed
                                        soon
                                      type: string
                                    type:
                                      description: Type defines the type of attestation
                                        contained within the Statement.
                                      type: string
                                  type: object
                                type: array
                              attestors:
                                description: Attestors specified the required attestors
                                  (i.e. authorities)
                                items:
                                  properties:
                                    count:
                                      description: Count specifies the required number
                                        of entries that must match. If the count is
                                        null, all entries must match (a logical AND).
                                        If the count is 1, at least one entry must
                                        match (a logical OR). If the count contains
                                        a value N, then N must be less than or equal
                                        to the size of entries, and at least N entries
                                        must match.
                                      minimum: 1
                                      type: integer
                                    entries:
                                      description: Entries contains the available
                                        attestors. An attestor can be a static key,
                                        attributes for keyless verification, or a
                                        nested attestor declaration.
                                      items:
                                        properties:
                                          annotations:
                                            additionalProperties:
                                              type: string
                                            description: Annotations are used for
                                              image verification. Every specified
                                              key-value pair must exist and match
                                              in the verified payload. The payload
                                              may contain other key-value pairs.
                                            type: object
                                          attestor:
                                            description: Attestor is a nested AttestorSet
                                              used to specify a more complex set of
                                              match authorities
                                            x-kubernetes-preserve-unknown-fields: true
                                          certificates:
                                            description: Certificates specifies one
                                              or more certificates
                                            properties:
                                              cert:
                                                description: Certificate is an optional
                                                  PEM encoded public certificate.
                                                type: string
                                              certChain:
                                                description: CertificateChain is an
                                                  optional PEM encoded set of certificates
                                                  used to verify
                                                type: string
                                              rekor:
                                                description: Rekor provides configuration
                                                  for the Rekor transparency log service.
                                                  If the value is nil, Rekor is not
                                                  checked. If an empty object is provided
                                                  the public instance of Rekor (https://rekor.sigstore.dev)
                                                  is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: IgnoreSCT requires
                                                      that a certificate contain an
                                                      embedded SCT during verification.
                                                      An SCT is proof of inclusion
                                                      in a certificate transparency
                                                      log.
                                                    type: boolean
                                                  ignoreTlog:
                                                    description: IgnoreTlog skip tlog
                                                      verification
                                                    type: boolean
                                                  pubkey:
                                                    description: RekorPubKey is an
                                                      optional PEM encoded public
                                                      key to use for a custom Rekor.
                                                      If set, is used to validate
                                                      signatures on log entries from
                                                      Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public log https://rekor.sigstore.dev.
                                                    type: string
                                                required:
                                                - url
                                                type: object
                                            type: object
                                          keyless:
                                            description: Keyless is a set of attribute
                                              used to verify a Sigstore keyless attestor.
                                              See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                            properties:
                                              additionalExtensions:
                                                additionalProperties:
                                                  type: string
                                                description: AdditionalExtensions
                                                  are certificate-extensions used
                                                  for keyless signing.
                                                type: object
                                              issuer:
                                                description: Issuer is the certificate
                                                  issuer used for keyless signing.
                                                type: string
                                              rekor:
                                                description: Rekor provides configuration
                                                  for the Rekor transparency log service.
                                                  If the value is nil, Rekor is not
                                                  checked and a root certificate chain
                                                  is expected instead. If an empty
                                                  object is provided the public instance
                                                  of Rekor (https://rekor.sigstore.dev)
                                                  is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: IgnoreSCT requires
                                                      that a certificate contain an
                                                      embedded SCT during verification.
                                                      An SCT is proof of inclusion
                                                      in a certificate transparency
                                                      log.
                                                    type: boolean
                                                  ignoreTlog:
                                                    description: IgnoreTlog skip tlog
                                                      verification
                                                    type: boolean
                                                  pubkey:
                                                    description: RekorPubKey is an
                                                      optional PEM encoded public
                                                      key to use for a custom Rekor.
                                                      If set, is used to validate
                                                      signatures on log entries from
                                                      Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public log https://rekor.sigstore.dev.
                                                    type: string
                                                required:
                                                - url
                                                type: object
                                              roots:
                                                description: Roots is an optional
                                                  set of PEM encoded trusted root
                                                  certificates. If not provided, the
                                                  system roots are used.
                                                type: string
                                              subject:
                                                description: Subject is the verified
                                                  identity used for keyless signing,
                                                  for example the email address
                                                type: string
                                            type: object
                                          keys:
                                            description: Keys specifies one or more
                                              public keys
                                            properties:
                                              kms:
                                                description: 'KMS provides the URI
                                                  to the public key stored in a Key
                                                  Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                                type: string
                                              publicKeys:
                                                description: Keys is a set of X.509
                                                  public keys used to verify image
                                                  signatures. The keys can be directly
                                                  specified or can be a variable reference
                                                  to a key specified in a ConfigMap
                                                  (see https://kyverno.io/docs/writing-policies/variables/),
                                                  or reference a standard Kubernetes
                                                  Secret elsewhere in the cluster
                                                  by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                  The named Secret must specify a
                                                  key `cosign.pub` containing the
                                                  public key used for verification,
                                                  (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                  When multiple keys are specified
                                                  each key is processed as a separate
                                                  staticKey entry (.attestors[*].entries.keys)
                                                  within the set of attestors and
                                                  the count is applied across the
                                                  keys.
                                                type: string
                                              rekor:
                                                description: Rekor provides configuration
                                                  for the Rekor transparency log service.
                                                  If the value is nil, or an empty
                                                  object is provided, the public instance
                                                  of Rekor (https://rekor.sigstore.dev)
                                                  is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: IgnoreSCT requires
                                                      that a certificate contain an
                                                      embedded SCT during verification.
                                                      An SCT is proof of inclusion
                                                      in a certificate transparency
                                                      log.
                                                    type: boolean
                                                  ignoreTlog:
                                                    description: IgnoreTlog skip tlog
                                                      verification
                                                    type: boolean
                                                  pubkey:
                                                    description: RekorPubKey is an
                                                      optional PEM encoded public
                                                      key to use for a custom Rekor.
                                                      If set, is used to validate
                                                      signatures on log entries from
                                                      Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public log https://rekor.sigstore.dev.
                                                    type: string
                                                required:
                                                - url
                                                type: object
                                              secret:
                                                description: Reference to a Secret
                                                  resource that contains a public
                                                  key
                                                properties:
                                                  name:
                                                    description: Name of the secret.
                                                      The provided secret must contain
                                                      a key named cosign.pub.
                                                    type: string
                                                  namespace:
                                                    description: Namespace name where
                                                      the Secret exists.
                                                    type: string
                                                required:
                                                - name
                                                - namespace
                                                type: object
                                              signatureAlgorithm:
                                                default: sha256
                                                description: Specify signature algorithm
                                                  for public keys. Supported values
                                                  are sha256 and sha512
                                                type: string
                                            type: object
                                          repository:
                                            description: Repository is an optional
                                              alternate OCI repository to use for
                                              signatures and attestations that match
                                              this rule. If specified Repository will
                                              override other OCI image repository
                                              locations for this Attestor.
                                            type: string
                                        type: object
                                      type: array
                                  type: object
                                type: array
                              image:
                                description: 'Image is the image name consisting of
                                  the registry address, repository, image, and tag.
                                  Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                                  Deprecated. Use ImageReferences instead.'
                                type: string
                              imageReferences:
                                description: 'ImageReferences is a list of matching
                                  image reference patterns. At least one pattern in
                                  the list must match the image for the rule to apply.
                                  Each image reference consists of a registry address
                                  (defaults to docker.io), repository, image, and
                                  tag (defaults to latest). Wildcards (''*'' and ''?'')
                                  are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
                                items:
                                  type: string
                                type: array
                              imageRegistryCredentials:
                                description: ImageRegistryCredentials provides credentials
                                  that will be used for authentication with registry
                                properties:
                                  allowInsecureRegistry:
                                    description: AllowInsecureRegistry allows insecure
                                      access to a registry
                                    type: boolean
                                  providers:
                                    description: 'Providers specifies a list of OCI
                                      Registry names, whose authentication providers
                                      are provided It can be of one of these values:
                                      AWS, ACR, GCP, GHCR'
                                    items:
                                      description: ImageRegistryCredentialsProvidersType
                                        provides the list of credential providers
                                        required.
                                      enum:
                                      - default
                                      - amazon
                                      - azure
                                      - google
                                      - github
                                      type: string
                                    type: array
                                  secrets:
                                    description: Secrets specifies a list of secrets
                                      that are provided for credentials Secrets must
                                      live in the Kyverno namespace
                                    items:
                                      type: string
                                    type: array
                                type: object
                              issuer:
                                description: Issuer is the certificate issuer used
                                  for keyless signing. Deprecated. Use KeylessAttestor
                                  instead.
                                type: string
                              key:
                                description: Key is the PEM encoded public key that
                                  the image or attestation is signed with. Deprecated.
                                  Use StaticKeyAttestor instead.
                                type: string
                              mutateDigest:
                                default: true
                                description: MutateDigest enables replacement of image
                                  tags with digests. Defaults to true.
                                type: boolean
                              repository:
                                description: Repository is an optional alternate OCI
                                  repository to use for image signatures and attestations
                                  that match this rule. If specified Repository will
                                  override the default OCI image repository configured
                                  for the installation. The repository can also be
                                  overridden per Attestor or Attestation.
                                type: string
                              required:
                                default: true
                                description: Required validates that images are verified
                                  i.e. have matched passed a signature or attestation
                                  check.
                                type: boolean
                              roots:
                                description: Roots is the PEM encoded Root certificate
                                  chain used for keyless signing Deprecated. Use KeylessAttestor
                                  instead.
                                type: string
                              subject:
                                description: Subject is the identity used for keyless
                                  signing, for example an email address Deprecated.
                                  Use KeylessAttestor instead.
                                type: string
                              type:
                                description: Type specifies the method of signature
                                  validation. The allowed options are Cosign and Notary.
                                  By default Cosign is used if a type is not specified.
                                enum:
                                - Cosign
                                - Notary
                                type: string
                              useCache:
                                default: true
                                description: UseCache enables caching of image verify
                                  responses for this rule
                                type: boolean
                              verifyDigest:
                                default: true
                                description: VerifyDigest validates that images have
                                  a digest.
                                type: boolean
                            type: object
                          type: array
                      required:
                      - name
                      type: object
                    type: array
                type: object
              conditions:
                description: Conditions is a list of conditions that apply to the
                  policy
                items:
                  description: "Condition contains details for one aspect of the current
                    state of this API Resource. --- This struct is intended for direct
                    use as an array at the field path .status.conditions.  For example,
                    \n type FooStatus struct{ // Represents the observations of a
                    foo's current state. // Known .status.conditions.type are: \"Available\",
                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
                  properties:
                    lastTransitionTime:
                      description: lastTransitionTime is the last time the condition
                        transitioned from one status to another. This should be when
                        the underlying condition changed.  If that is not known, then
                        using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: message is a human readable message indicating
                        details about the transition. This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
                      description: observedGeneration represents the .metadata.generation
                        that the condition was set based upon. For instance, if .metadata.generation
                        is currently 12, but the .status.conditions[x].observedGeneration
                        is 9, the condition is out of date with respect to the current
                        state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
                      description: reason contains a programmatic identifier indicating
                        the reason for the condition's last transition. Producers
                        of specific condition types may define expected values and
                        meanings for this field, and whether the values are considered
                        a guaranteed API. The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
                      enum:
                      - "True"
                      - "False"
                      - Unknown
                      type: string
                    type:
                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
                        --- Many .condition.type values are consistent across resources
                        like Available, but because arbitrary conditions can be useful
                        (see .node.status.conditions), the ability to deconflict is
                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
                  required:
                  - lastTransitionTime
                  - message
                  - reason
                  - status
                  - type
                  type: object
                type: array
              ready:
                description: Ready indicates if the policy is ready to serve the admission
                  request. Deprecated in favor of Conditions
                type: boolean
              rulecount:
                description: RuleCount describes total number of rules in a policy
                properties:
                  generate:
                    description: Count for generate rules in policy
                    type: integer
                  mutate:
                    description: Count for mutate rules in policy
                    type: integer
                  validate:
                    description: Count for validate rules in policy
                    type: integer
                  verifyimages:
                    description: Count for verify image rules in policy
                    type: integer
                required:
                - generate
                - mutate
                - validate
                - verifyimages
                type: object
            required:
            - ready
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
  - additionalPrinterColumns:
    - jsonPath: .spec.admission
      name: ADMISSION
      type: boolean
    - jsonPath: .spec.background
      name: BACKGROUND
      type: boolean
    - jsonPath: .spec.validationFailureAction
      name: VALIDATE ACTION
      type: string
    - jsonPath: .status.conditions[?(@.type == "Ready")].status
      name: READY
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: AGE
      type: date
    - jsonPath: .spec.failurePolicy
      name: FAILURE POLICY
      priority: 1
      type: string
    - jsonPath: .status.rulecount.validate
      name: VALIDATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.mutate
      name: MUTATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.generate
      name: GENERATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.verifyimages
      name: VERIFY IMAGES
      priority: 1
      type: integer
    - jsonPath: .status.conditions[?(@.type == "Ready")].message
      name: MESSAGE
      type: string
    name: v2beta1
    schema:
      openAPIV3Schema:
        description: ClusterPolicy declares validation, mutation, and generation behaviors
          for matching resources.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: Spec declares policy behaviors.
            properties:
              admission:
                default: true
                description: Admission controls if rules are applied during admission.
                  Optional. Default value is "true".
                type: boolean
              applyRules:
                description: ApplyRules controls how rules in a policy are applied.
                  Rule are processed in the order of declaration. When set to `One`
                  processing stops after a rule has been applied i.e. the rule matches
                  and results in a pass, fail, or error. When set to `All` all rules
                  in the policy are processed. The default is `All`.
                enum:
                - All
                - One
                type: string
              background:
                default: true
                description: Background controls if rules are applied to existing
                  resources during a background scan. Optional. Default value is "true".
                  The value must be set to "false" if the policy rule uses variables
                  that are only available in the admission review request (e.g. user
                  name).
                type: boolean
              failurePolicy:
                description: FailurePolicy defines how unexpected policy errors and
                  webhook response timeout errors are handled. Rules within the same
                  policy share the same failure behavior. Allowed values are Ignore
                  or Fail. Defaults to Fail.
                enum:
                - Ignore
                - Fail
                type: string
              generateExisting:
                description: GenerateExisting controls whether to trigger generate
                  rule in existing resources If is set to "true" generate rule will
                  be triggered and applied to existing matched resources. Defaults
                  to "false" if not specified.
                type: boolean
              generateExistingOnPolicyUpdate:
                description: Deprecated, use generateExisting instead
                type: boolean
              mutateExistingOnPolicyUpdate:
                description: MutateExistingOnPolicyUpdate controls if a mutateExisting
                  policy is applied on policy events. Default value is "false".
                type: boolean
              rules:
                description: Rules is a list of Rule instances. A Policy contains
                  multiple rules and each rule can validate, mutate, or generate resources.
                items:
                  description: Rule defines a validation, mutation, or generation
                    control for matching resources. Each rules contains a match declaration
                    to select resources, and an optional exclude declaration to specify
                    which resources to exclude.
                  properties:
                    celPreconditions:
                      description: CELPreconditions are used to determine if a policy
                        rule should be applied by evaluating a set of CEL conditions.
                        It can only be used with the validate.cel subrule
                      items:
                        description: MatchCondition represents a condition which must
                          by fulfilled for a request to be sent to a webhook.
                        properties:
                          expression:
                            description: "Expression represents the expression which
                              will be evaluated by CEL. Must evaluate to bool. CEL
                              expressions have access to the contents of the AdmissionRequest
                              and Authorizer, organized into CEL variables: \n 'object'
                              - The object from the incoming request. The value is
                              null for DELETE requests. 'oldObject' - The existing
                              object. The value is null for CREATE requests. 'request'
                              - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
                              'authorizer' - A CEL Authorizer. May be used to perform
                              authorization checks for the principal (user or service
                              account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                              'authorizer.requestResource' - A CEL ResourceCheck constructed
                              from the 'authorizer' and configured with the request
                              resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
                              \n Required."
                            type: string
                          name:
                            description: "Name is an identifier for this match condition,
                              used for strategic merging of MatchConditions, as well
                              as providing an identifier for logging purposes. A good
                              name should be descriptive of the associated expression.
                              Name must be a qualified name consisting of alphanumeric
                              characters, '-', '_' or '.', and must start and end
                              with an alphanumeric character (e.g. 'MyName',  or 'my.name',
                              \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
                              with an optional DNS subdomain prefix and '/' (e.g.
                              'example.com/MyName') \n Required."
                            type: string
                        required:
                        - expression
                        - name
                        type: object
                      type: array
                    context:
                      description: Context defines variables and data sources that
                        can be used during rule execution.
                      items:
                        description: ContextEntry adds variables and data sources
                          to a rule Context. Either a ConfigMap reference or a APILookup
                          must be provided.
                        properties:
                          apiCall:
                            description: APICall is an HTTP request to the Kubernetes
                              API server, or other JSON web service. The data returned
                              is stored in the context with the name for the context
                              entry.
                            properties:
                              data:
                                description: Data specifies the POST data sent to
                                  the server.
                                items:
                                  description: RequestData contains the HTTP POST
                                    data
                                  properties:
                                    key:
                                      description: Key is a unique identifier for
                                        the data value
                                      type: string
                                    value:
                                      description: Value is the data value
                                      x-kubernetes-preserve-unknown-fields: true
                                  required:
                                  - key
                                  - value
                                  type: object
                                type: array
                              jmesPath:
                                description: JMESPath is an optional JSON Match Expression
                                  that can be used to transform the JSON response
                                  returned from the server. For example a JMESPath
                                  of "items | length(@)" applied to the API server
                                  response for the URLPath "/apis/apps/v1/deployments"
                                  will return the total count of deployments across
                                  all namespaces.
                                type: string
                              method:
                                default: GET
                                description: Method is the HTTP request type (GET
                                  or POST).
                                enum:
                                - GET
                                - POST
                                type: string
                              service:
                                description: Service is an API call to a JSON web
                                  service
                                properties:
                                  caBundle:
                                    description: CABundle is a PEM encoded CA bundle
                                      which will be used to validate the server certificate.
                                    type: string
                                  url:
                                    description: URL is the JSON web service URL.
                                      A typical form is `https://{service}.{namespace}:{port}/{path}`.
                                    type: string
                                required:
                                - url
                                type: object
                              urlPath:
                                description: URLPath is the URL path to be used in
                                  the HTTP GET or POST request to the Kubernetes API
                                  server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                  The format required is the same format used by the
                                  `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                  for details.
                                type: string
                            type: object
                          configMap:
                            description: ConfigMap is the ConfigMap reference.
                            properties:
                              name:
                                description: Name is the ConfigMap name.
                                type: string
                              namespace:
                                description: Namespace is the ConfigMap namespace.
                                type: string
                            required:
                            - name
                            type: object
                          imageRegistry:
                            description: ImageRegistry defines requests to an OCI/Docker
                              V2 registry to fetch image details.
                            properties:
                              imageRegistryCredentials:
                                description: ImageRegistryCredentials provides credentials
                                  that will be used for authentication with registry
                                properties:
                                  allowInsecureRegistry:
                                    description: AllowInsecureRegistry allows insecure
                                      access to a registry
                                    type: boolean
                                  providers:
                                    description: 'Providers specifies a list of OCI
                                      Registry names, whose authentication providers
                                      are provided It can be of one of these values:
                                      AWS, ACR, GCP, GHCR'
                                    items:
                                      description: ImageRegistryCredentialsProvidersType
                                        provides the list of credential providers
                                        required.
                                      enum:
                                      - default
                                      - amazon
                                      - azure
                                      - google
                                      - github
                                      type: string
                                    type: array
                                  secrets:
                                    description: Secrets specifies a list of secrets
                                      that are provided for credentials Secrets must
                                      live in the Kyverno namespace
                                    items:
                                      type: string
                                    type: array
                                type: object
                              jmesPath:
                                description: JMESPath is an optional JSON Match Expression
                                  that can be used to transform the ImageData struct
                                  returned as a result of processing the image reference.
                                type: string
                              reference:
                                description: 'Reference is image reference to a container
                                  image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
                                type: string
                            required:
                            - reference
                            type: object
                          name:
                            description: Name is the variable name.
                            type: string
                          variable:
                            description: Variable defines an arbitrary JMESPath context
                              variable that can be defined inline.
                            properties:
                              default:
                                description: Default is an optional arbitrary JSON
                                  object that the variable may take if the JMESPath
                                  expression evaluates to nil
                                x-kubernetes-preserve-unknown-fields: true
                              jmesPath:
                                description: JMESPath is an optional JMESPath Expression
                                  that can be used to transform the variable.
                                type: string
                              value:
                                description: Value is any arbitrary JSON object representable
                                  in YAML or JSON form.
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                        type: object
                      type: array
                    exclude:
                      description: ExcludeResources defines when this policy rule
                        should not be applied. The exclude criteria can include resource
                        information (e.g. kind, name, namespace, labels) and admission
                        review request information like the name or role.
                      properties:
                        all:
                          description: All allows specifying resources which will
                            be ANDed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: Annotations is a  map of annotations
                                      (key-value pairs of type string). Annotation
                                      keys and values support the wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: 'Name is the name of the resource.
                                      The name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character). NOTE: "Name" is being deprecated
                                      in favor of "Names".'
                                    type: string
                                  names:
                                    description: Names are the names of the resources.
                                      Each name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: 'NamespaceSelector is a label selector
                                      for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters
                                      `*` (matches zero or many characters) and `?`
                                      (matches one character).Wildcards allows writing
                                      label selectors like ["storage.k8s.io/*": "*"].
                                      Note that using ["*" : "*"] matches any key
                                      and value but does not match an empty label
                                      set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: Namespaces is a list of namespaces
                                      names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: 'Selector is a label selector. Label
                                      keys and values in `matchLabels` support the
                                      wildcard characters `*` (matches zero or many
                                      characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
                                      : "*"] matches any key and value but does not
                                      match an empty label set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: Subject contains a reference to the
                                    object or user identities a role binding applies
                                    to.  This can either hold a direct API object
                                    reference, or a value for non-objects such as
                                    user and group names.
                                  properties:
                                    apiGroup:
                                      description: APIGroup holds the API group of
                                        the referenced subject. Defaults to "" for
                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
                                        for User and Group subjects.
                                      type: string
                                    kind:
                                      description: Kind of object being referenced.
                                        Values defined by this API group are "User",
                                        "Group", and "ServiceAccount". If the Authorizer
                                        does not recognized the kind value, the Authorizer
                                        should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: Namespace of the referenced object.  If
                                        the object kind is non-namespace, such as
                                        "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        any:
                          description: Any allows specifying resources which will
                            be ORed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: Annotations is a  map of annotations
                                      (key-value pairs of type string). Annotation
                                      keys and values support the wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: 'Name is the name of the resource.
                                      The name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character). NOTE: "Name" is being deprecated
                                      in favor of "Names".'
                                    type: string
                                  names:
                                    description: Names are the names of the resources.
                                      Each name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: 'NamespaceSelector is a label selector
                                      for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters
                                      `*` (matches zero or many characters) and `?`
                                      (matches one character).Wildcards allows writing
                                      label selectors like ["storage.k8s.io/*": "*"].
                                      Note that using ["*" : "*"] matches any key
                                      and value but does not match an empty label
                                      set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: Namespaces is a list of namespaces
                                      names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: 'Selector is a label selector. Label
                                      keys and values in `matchLabels` support the
                                      wildcard characters `*` (matches zero or many
                                      characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
                                      : "*"] matches any key and value but does not
                                      match an empty label set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: Subject contains a reference to the
                                    object or user identities a role binding applies
                                    to.  This can either hold a direct API object
                                    reference, or a value for non-objects such as
                                    user and group names.
                                  properties:
                                    apiGroup:
                                      description: APIGroup holds the API group of
                                        the referenced subject. Defaults to "" for
                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
                                        for User and Group subjects.
                                      type: string
                                    kind:
                                      description: Kind of object being referenced.
                                        Values defined by this API group are "User",
                                        "Group", and "ServiceAccount". If the Authorizer
                                        does not recognized the kind value, the Authorizer
                                        should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: Namespace of the referenced object.  If
                                        the object kind is non-namespace, such as
                                        "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                      type: object
                    generate:
                      description: Generation is used to create new resources.
                      properties:
                        apiVersion:
                          description: APIVersion specifies resource apiVersion.
                          type: string
                        clone:
                          description: Clone specifies the source resource used to
                            populate each generated resource. At most one of Data
                            or Clone can be specified. If neither are provided, the
                            generated resource will be created with default data only.
                          properties:
                            name:
                              description: Name specifies name of the resource.
                              type: string
                            namespace:
                              description: Namespace specifies source resource namespace.
                              type: string
                          type: object
                        cloneList:
                          description: CloneList specifies the list of source resource
                            used to populate each generated resource.
                          properties:
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            namespace:
                              description: Namespace specifies source resource namespace.
                              type: string
                            selector:
                              description: Selector is a label selector. Label keys
                                and values in `matchLabels`. wildcard characters are
                                not supported.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        data:
                          description: Data provides the resource declaration used
                            to populate each generated resource. At most one of Data
                            or Clone must be specified. If neither are provided, the
                            generated resource will be created with default data only.
                          x-kubernetes-preserve-unknown-fields: true
                        kind:
                          description: Kind specifies resource kind.
                          type: string
                        name:
                          description: Name specifies the resource name.
                          type: string
                        namespace:
                          description: Namespace specifies resource namespace.
                          type: string
                        synchronize:
                          description: Synchronize controls if generated resources
                            should be kept in-sync with their source resource. If
                            Synchronize is set to "true" changes to generated resources
                            will be overwritten with resource data from Data or the
                            resource specified in the Clone declaration. Optional.
                            Defaults to "false" if not specified.
                          type: boolean
                      type: object
                    imageExtractors:
                      additionalProperties:
                        items:
                          properties:
                            jmesPath:
                              description: 'JMESPath is an optional JMESPath expression
                                to apply to the image value. This is useful when the
                                extracted image begins with a prefix like ''docker://''.
                                The ''trim_prefix'' function may be used to trim the
                                prefix: trim_prefix(@, ''docker://''). Note - Image
                                digest mutation may not be used when applying a JMESPAth
                                to an image.'
                              type: string
                            key:
                              description: Key is an optional name of the field within
                                'path' that will be used to uniquely identify an image.
                                Note - this field MUST be unique.
                              type: string
                            name:
                              description: Name is the entry the image will be available
                                under 'images.<name>' in the context. If this field
                                is not defined, image entries will appear under 'images.custom'.
                              type: string
                            path:
                              description: Path is the path to the object containing
                                the image field in a custom resource. It should be
                                slash-separated. Each slash-separated key must be
                                a valid YAML key or a wildcard '*'. Wildcard keys
                                are expanded in case of arrays or objects.
                              type: string
                            value:
                              description: Value is an optional name of the field
                                within 'path' that points to the image URI. This is
                                useful when a custom 'key' is also defined.
                              type: string
                          required:
                          - path
                          type: object
                        type: array
                      description: ImageExtractors defines a mapping from kinds to
                        ImageExtractorConfigs. This config is only valid for verifyImages
                        rules.
                      type: object
                    match:
                      description: MatchResources defines when this policy rule should
                        be applied. The match criteria can include resource information
                        (e.g. kind, name, namespace, labels) and admission review
                        request information like the user name or role. At least one
                        kind is required.
                      properties:
                        all:
                          description: All allows specifying resources which will
                            be ANDed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: Annotations is a  map of annotations
                                      (key-value pairs of type string). Annotation
                                      keys and values support the wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: 'Name is the name of the resource.
                                      The name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character). NOTE: "Name" is being deprecated
                                      in favor of "Names".'
                                    type: string
                                  names:
                                    description: Names are the names of the resources.
                                      Each name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: 'NamespaceSelector is a label selector
                                      for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters
                                      `*` (matches zero or many characters) and `?`
                                      (matches one character).Wildcards allows writing
                                      label selectors like ["storage.k8s.io/*": "*"].
                                      Note that using ["*" : "*"] matches any key
                                      and value but does not match an empty label
                                      set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: Namespaces is a list of namespaces
                                      names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: 'Selector is a label selector. Label
                                      keys and values in `matchLabels` support the
                                      wildcard characters `*` (matches zero or many
                                      characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
                                      : "*"] matches any key and value but does not
                                      match an empty label set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: Subject contains a reference to the
                                    object or user identities a role binding applies
                                    to.  This can either hold a direct API object
                                    reference, or a value for non-objects such as
                                    user and group names.
                                  properties:
                                    apiGroup:
                                      description: APIGroup holds the API group of
                                        the referenced subject. Defaults to "" for
                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
                                        for User and Group subjects.
                                      type: string
                                    kind:
                                      description: Kind of object being referenced.
                                        Values defined by this API group are "User",
                                        "Group", and "ServiceAccount". If the Authorizer
                                        does not recognized the kind value, the Authorizer
                                        should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: Namespace of the referenced object.  If
                                        the object kind is non-namespace, such as
                                        "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        any:
                          description: Any allows specifying resources which will
                            be ORed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: Annotations is a  map of annotations
                                      (key-value pairs of type string). Annotation
                                      keys and values support the wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: 'Name is the name of the resource.
                                      The name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character). NOTE: "Name" is being deprecated
                                      in favor of "Names".'
                                    type: string
                                  names:
                                    description: Names are the names of the resources.
                                      Each name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: 'NamespaceSelector is a label selector
                                      for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters
                                      `*` (matches zero or many characters) and `?`
                                      (matches one character).Wildcards allows writing
                                      label selectors like ["storage.k8s.io/*": "*"].
                                      Note that using ["*" : "*"] matches any key
                                      and value but does not match an empty label
                                      set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: Namespaces is a list of namespaces
                                      names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: 'Selector is a label selector. Label
                                      keys and values in `matchLabels` support the
                                      wildcard characters `*` (matches zero or many
                                      characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
                                      : "*"] matches any key and value but does not
                                      match an empty label set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: Subject contains a reference to the
                                    object or user identities a role binding applies
                                    to.  This can either hold a direct API object
                                    reference, or a value for non-objects such as
                                    user and group names.
                                  properties:
                                    apiGroup:
                                      description: APIGroup holds the API group of
                                        the referenced subject. Defaults to "" for
                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
                                        for User and Group subjects.
                                      type: string
                                    kind:
                                      description: Kind of object being referenced.
                                        Values defined by this API group are "User",
                                        "Group", and "ServiceAccount". If the Authorizer
                                        does not recognized the kind value, the Authorizer
                                        should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: Namespace of the referenced object.  If
                                        the object kind is non-namespace, such as
                                        "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                      type: object
                    mutate:
                      description: Mutation is used to modify matching resources.
                      properties:
                        foreach:
                          description: ForEach applies mutation rules to a list of
                            sub-elements by creating a context for each entry in the
                            list and looping over it to apply the specified logic.
                          items:
                            description: ForEachMutation applies mutation rules to
                              a list of sub-elements by creating a context for each
                              entry in the list and looping over it to apply the specified
                              logic.
                            properties:
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: ContextEntry adds variables and data
                                    sources to a rule Context. Either a ConfigMap
                                    reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: APICall is an HTTP request to the
                                        Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context
                                        with the name for the context entry.
                                      properties:
                                        data:
                                          description: Data specifies the POST data
                                            sent to the server.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the JSON response returned from the server.
                                            For example a JMESPath of "items | length(@)"
                                            applied to the API server response for
                                            the URLPath "/apis/apps/v1/deployments"
                                            will return the total count of deployments
                                            across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST).
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: Service is an API call to a
                                            JSON web service
                                          properties:
                                            caBundle:
                                              description: CABundle is a PEM encoded
                                                CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: URL is the JSON web service
                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: URLPath is the URL path to
                                            be used in the HTTP GET or POST request
                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
                                            or  "/apis/apps/v1/deployments"). The
                                            format required is the same format used
                                            by the `kubectl get --raw` command. See
                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    imageRegistry:
                                      description: ImageRegistry defines requests
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry
                                              type: boolean
                                            providers:
                                              description: 'Providers specifies a
                                                list of OCI Registry names, whose
                                                authentication providers are provided
                                                It can be of one of these values:
                                                AWS, ACR, GCP, GHCR'
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: Secrets specifies a list
                                                of secrets that are provided for credentials
                                                Secrets must live in the Kyverno namespace
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the ImageData struct returned as a result
                                            of processing the image reference.
                                          type: string
                                        reference:
                                          description: 'Reference is image reference
                                            to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest'
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: Default is an optional arbitrary
                                            JSON object that the variable may take
                                            if the JMESPath expression evaluates to
                                            nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: JMESPath is an optional JMESPath
                                            Expression that can be used to transform
                                            the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              foreach:
                                description: Foreach declares a nested foreach iterator
                                x-kubernetes-preserve-unknown-fields: true
                              list:
                                description: List specifies a JMESPath expression
                                  that results in one or more elements to which the
                                  validation logic is applied.
                                type: string
                              order:
                                description: Order defines the iteration order on
                                  the list. Can be Ascending to iterate from first
                                  to last element or Descending to iterate in from
                                  last to first element.
                                enum:
                                - Ascending
                                - Descending
                                type: string
                              patchStrategicMerge:
                                description: PatchStrategicMerge is a strategic merge
                                  patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                  and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                                x-kubernetes-preserve-unknown-fields: true
                              patchesJson6902:
                                description: PatchesJSON6902 is a list of RFC 6902
                                  JSON Patch declarations used to modify resources.
                                  See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                                type: string
                              preconditions:
                                description: 'AnyAllConditions are used to determine
                                  if a policy rule should be applied by evaluating
                                  a set of conditions. The declaration can contain
                                  nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
                                properties:
                                  all:
                                    description: AllConditions enable variable-based
                                      conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A
                                      condition can reference object data using JMESPath
                                      notation. Here, all of the conditions need to
                                      pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: 'Operator is the conditional
                                            operation to perform. Valid operators
                                            are: Equals, NotEquals, In, AnyIn, AllIn,
                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan,
                                            DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan'
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: Value is the conditional value,
                                            or set of values. The values can be fixed
                                            set or can be variables declared using
                                            JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                  any:
                                    description: AnyConditions enable variable-based
                                      conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A
                                      condition can reference object data using JMESPath
                                      notation. Here, at least one of the conditions
                                      need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: 'Operator is the conditional
                                            operation to perform. Valid operators
                                            are: Equals, NotEquals, In, AnyIn, AllIn,
                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan,
                                            DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan'
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: Value is the conditional value,
                                            or set of values. The values can be fixed
                                            set or can be variables declared using
                                            JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                type: object
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                        patchStrategicMerge:
                          description: PatchStrategicMerge is a strategic merge patch
                            used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                          x-kubernetes-preserve-unknown-fields: true
                        patchesJson6902:
                          description: PatchesJSON6902 is a list of RFC 6902 JSON
                            Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                          type: string
                        targets:
                          description: Targets defines the target resources to be
                            mutated.
                          items:
                            description: TargetResourceSpec defines targets for mutating
                              existing resources.
                            properties:
                              apiVersion:
                                description: APIVersion specifies resource apiVersion.
                                type: string
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: ContextEntry adds variables and data
                                    sources to a rule Context. Either a ConfigMap
                                    reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: APICall is an HTTP request to the
                                        Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context
                                        with the name for the context entry.
                                      properties:
                                        data:
                                          description: Data specifies the POST data
                                            sent to the server.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the JSON response returned from the server.
                                            For example a JMESPath of "items | length(@)"
                                            applied to the API server response for
                                            the URLPath "/apis/apps/v1/deployments"
                                            will return the total count of deployments
                                            across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST).
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: Service is an API call to a
                                            JSON web service
                                          properties:
                                            caBundle:
                                              description: CABundle is a PEM encoded
                                                CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: URL is the JSON web service
                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: URLPath is the URL path to
                                            be used in the HTTP GET or POST request
                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
                                            or  "/apis/apps/v1/deployments"). The
                                            format required is the same format used
                                            by the `kubectl get --raw` command. See
                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    imageRegistry:
                                      description: ImageRegistry defines requests
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry
                                              type: boolean
                                            providers:
                                              description: 'Providers specifies a
                                                list of OCI Registry names, whose
                                                authentication providers are provided
                                                It can be of one of these values:
                                                AWS, ACR, GCP, GHCR'
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: Secrets specifies a list
                                                of secrets that are provided for credentials
                                                Secrets must live in the Kyverno namespace
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the ImageData struct returned as a result
                                            of processing the image reference.
                                          type: string
                                        reference:
                                          description: 'Reference is image reference
                                            to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest'
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: Default is an optional arbitrary
                                            JSON object that the variable may take
                                            if the JMESPath expression evaluates to
                                            nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: JMESPath is an optional JMESPath
                                            Expression that can be used to transform
                                            the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              kind:
                                description: Kind specifies resource kind.
                                type: string
                              name:
                                description: Name specifies the resource name.
                                type: string
                              namespace:
                                description: Namespace specifies resource namespace.
                                type: string
                              preconditions:
                                description: 'Preconditions are used to determine
                                  if a policy rule should be applied by evaluating
                                  a set of conditions. The declaration can contain
                                  nested `any` or `all` statements. A direct list
                                  of conditions (without `any` or `all` statements
                                  is supported for backwards compatibility but will
                                  be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                      type: object
                    name:
                      description: Name is a label to identify the rule, It must be
                        unique within the policy.
                      maxLength: 63
                      type: string
                    preconditions:
                      description: 'Preconditions are used to determine if a policy
                        rule should be applied by evaluating a set of conditions.
                        The declaration can contain nested `any` or `all` statements.
                        A direct list of conditions (without `any` or `all` statements
                        is supported for backwards compatibility but See: https://kyverno.io/docs/writing-policies/preconditions/'
                      properties:
                        all:
                          description: AllConditions enable variable-based conditional
                            rule execution. This is useful for finer control of when
                            an rule is applied. A condition can reference object data
                            using JMESPath notation. Here, all of the conditions need
                            to pass.
                          items:
                            properties:
                              key:
                                description: Key is the context entry (using JMESPath)
                                  for conditional rule evaluation.
                                x-kubernetes-preserve-unknown-fields: true
                              message:
                                description: Message is an optional display message
                                type: string
                              operator:
                                description: 'Operator is the conditional operation
                                  to perform. Valid operators are: Equals, NotEquals,
                                  In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                  GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                  DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
                                enum:
                                - Equals
                                - NotEquals
                                - AnyIn
                                - AllIn
                                - AnyNotIn
                                - AllNotIn
                                - GreaterThanOrEquals
                                - GreaterThan
                                - LessThanOrEquals
                                - LessThan
                                - DurationGreaterThanOrEquals
                                - DurationGreaterThan
                                - DurationLessThanOrEquals
                                - DurationLessThan
                                type: string
                              value:
                                description: Value is the conditional value, or set
                                  of values. The values can be fixed set or can be
                                  variables declared using JMESPath.
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                        any:
                          description: AnyConditions enable variable-based conditional
                            rule execution. This is useful for finer control of when
                            an rule is applied. A condition can reference object data
                            using JMESPath notation. Here, at least one of the conditions
                            need to pass.
                          items:
                            properties:
                              key:
                                description: Key is the context entry (using JMESPath)
                                  for conditional rule evaluation.
                                x-kubernetes-preserve-unknown-fields: true
                              message:
                                description: Message is an optional display message
                                type: string
                              operator:
                                description: 'Operator is the conditional operation
                                  to perform. Valid operators are: Equals, NotEquals,
                                  In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                  GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                  DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
                                enum:
                                - Equals
                                - NotEquals
                                - AnyIn
                                - AllIn
                                - AnyNotIn
                                - AllNotIn
                                - GreaterThanOrEquals
                                - GreaterThan
                                - LessThanOrEquals
                                - LessThan
                                - DurationGreaterThanOrEquals
                                - DurationGreaterThan
                                - DurationLessThanOrEquals
                                - DurationLessThan
                                type: string
                              value:
                                description: Value is the conditional value, or set
                                  of values. The values can be fixed set or can be
                                  variables declared using JMESPath.
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                      type: object
                    validate:
                      description: Validation is used to validate matching resources.
                      properties:
                        anyPattern:
                          description: AnyPattern specifies list of validation patterns.
                            At least one of the patterns must be satisfied for the
                            validation rule to succeed.
                          x-kubernetes-preserve-unknown-fields: true
                        cel:
                          description: CEL allows validation checks using the Common
                            Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
                          properties:
                            auditAnnotations:
                              description: AuditAnnotations contains CEL expressions
                                which are used to produce audit annotations for the
                                audit event of the API request.
                              items:
                                description: AuditAnnotation describes how to produce
                                  an audit annotation for an API request.
                                properties:
                                  key:
                                    description: "key specifies the audit annotation
                                      key. The audit annotation keys of a ValidatingAdmissionPolicy
                                      must be unique. The key must be a qualified
                                      name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than
                                      63 bytes in length. \n The key is combined with
                                      the resource name of the ValidatingAdmissionPolicy
                                      to construct an audit annotation key: \"{ValidatingAdmissionPolicy
                                      name}/{key}\". \n If an admission webhook uses
                                      the same resource name as this ValidatingAdmissionPolicy
                                      and the same audit annotation key, the annotation
                                      key will be identical. In this case, the first
                                      annotation written with the key will be included
                                      in the audit event and all subsequent annotations
                                      with the same key will be discarded. \n Required."
                                    type: string
                                  valueExpression:
                                    description: "valueExpression represents the expression
                                      which is evaluated by CEL to produce an audit
                                      annotation value. The expression must evaluate
                                      to either a string or null value. If the expression
                                      evaluates to a string, the audit annotation
                                      is included with the string value. If the expression
                                      evaluates to null or empty string the audit
                                      annotation will be omitted. The valueExpression
                                      may be no longer than 5kb in length. If the
                                      result of the valueExpression is more than 10kb
                                      in length, it will be truncated to 10kb. \n
                                      If multiple ValidatingAdmissionPolicyBinding
                                      resources match an API request, then the valueExpression
                                      will be evaluated for each binding. All unique
                                      values produced by the valueExpressions will
                                      be joined together in a comma-separated list.
                                      \n Required."
                                    type: string
                                required:
                                - key
                                - valueExpression
                                type: object
                              type: array
                            expressions:
                              description: Expressions is a list of CELExpression
                                types.
                              items:
                                description: Validation specifies the CEL expression
                                  which is used to apply the validation.
                                properties:
                                  expression:
                                    description: "Expression represents the expression
                                      which will be evaluated by CEL. ref: https://github.com/google/cel-spec
                                      CEL expressions have access to the contents
                                      of the API request/response, organized into
                                      CEL variables as well as some other useful variables:
                                      \n - 'object' - The object from the incoming
                                      request. The value is null for DELETE requests.
                                      - 'oldObject' - The existing object. The value
                                      is null for CREATE requests. - 'request' - Attributes
                                      of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
                                      - 'params' - Parameter resource referred to
                                      by the policy binding being evaluated. Only
                                      populated if the policy has a ParamKind. - 'authorizer'
                                      - A CEL Authorizer. May be used to perform authorization
                                      checks for the principal (user or service account)
                                      of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                                      - 'authorizer.requestResource' - A CEL ResourceCheck
                                      constructed from the 'authorizer' and configured
                                      with the request resource. \n The `apiVersion`,
                                      `kind`, `metadata.name` and `metadata.generateName`
                                      are always accessible from the root of the object.
                                      No other metadata properties are accessible.
                                      \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
                                      are accessible. Accessible property names are
                                      escaped according to the following rules when
                                      accessed in the expression: - '__' escapes to
                                      '__underscores__' - '.' escapes to '__dot__'
                                      - '-' escapes to '__dash__' - '/' escapes to
                                      '__slash__' - Property names that exactly match
                                      a CEL RESERVED keyword escape to '__{keyword}__'.
                                      The keywords are: \"true\", \"false\", \"null\",
                                      \"in\", \"as\", \"break\", \"const\", \"continue\",
                                      \"else\", \"for\", \"function\", \"if\", \"import\",
                                      \"let\", \"loop\", \"package\", \"namespace\",
                                      \"return\". Examples: - Expression accessing
                                      a property named \"namespace\": {\"Expression\":
                                      \"object.__namespace__ > 0\"} - Expression accessing
                                      a property named \"x-prop\": {\"Expression\":
                                      \"object.x__dash__prop > 0\"} - Expression accessing
                                      a property named \"redact__d\": {\"Expression\":
                                      \"object.redact__underscores__d > 0\"} \n Equality
                                      on arrays with list type of 'set' or 'map' ignores
                                      element order, i.e. [1, 2] == [2, 1]. Concatenation
                                      on arrays with x-kubernetes-list-type use the
                                      semantics of the list type: - 'set': `X + Y`
                                      performs a union where the array positions of
                                      all elements in `X` are preserved and non-intersecting
                                      elements in `Y` are appended, retaining their
                                      partial order. - 'map': `X + Y` performs a merge
                                      where the array positions of all keys in `X`
                                      are preserved but the values are overwritten
                                      by values in `Y` when the key sets of `X` and
                                      `Y` intersect. Elements in `Y` with non-intersecting
                                      keys are appended, retaining their partial order.
                                      Required."
                                    type: string
                                  message:
                                    description: 'Message represents the message displayed
                                      when validation fails. The message is required
                                      if the Expression contains line breaks. The
                                      message must not contain line breaks. If unset,
                                      the message is "failed rule: {Rule}". e.g. "must
                                      be a URL with the host matching spec.host" If
                                      the Expression contains line breaks. Message
                                      is required. The message must not contain line
                                      breaks. If unset, the message is "failed Expression:
                                      {Expression}".'
                                    type: string
                                  messageExpression:
                                    description: 'messageExpression declares a CEL
                                      expression that evaluates to the validation
                                      failure message that is returned when this rule
                                      fails. Since messageExpression is used as a
                                      failure message, it must evaluate to a string.
                                      If both message and messageExpression are present
                                      on a validation, then messageExpression will
                                      be used if validation fails. If messageExpression
                                      results in a runtime error, the runtime error
                                      is logged, and the validation failure message
                                      is produced as if the messageExpression field
                                      were unset. If messageExpression evaluates to
                                      an empty string, a string with only spaces,
                                      or a string that contains line breaks, then
                                      the validation failure message will also be
                                      produced as if the messageExpression field were
                                      unset, and the fact that messageExpression produced
                                      an empty string/string with only spaces/string
                                      with line breaks will be logged. messageExpression
                                      has access to all the same variables as the
                                      `expression` except for ''authorizer'' and ''authorizer.requestResource''.
                                      Example: "object.x must be less than max ("+string(params.max)+")"'
                                    type: string
                                  reason:
                                    description: 'Reason represents a machine-readable
                                      description of why this validation failed. If
                                      this is the first validation in the list to
                                      fail, this reason, as well as the corresponding
                                      HTTP response code, are used in the HTTP response
                                      to the client. The currently supported reasons
                                      are: "Unauthorized", "Forbidden", "Invalid",
                                      "RequestEntityTooLarge". If not set, StatusReasonInvalid
                                      is used in the response to the client.'
                                    type: string
                                required:
                                - expression
                                type: object
                              type: array
                            paramKind:
                              description: ParamKind is a tuple of Group Kind and
                                Version.
                              properties:
                                apiVersion:
                                  description: APIVersion is the API group version
                                    the resources belong to. In format of "group/version".
                                    Required.
                                  type: string
                                kind:
                                  description: Kind is the API kind the resources
                                    belong to. Required.
                                  type: string
                              type: object
                              x-kubernetes-map-type: atomic
                            paramRef:
                              description: ParamRef references a parameter resource.
                              properties:
                                name:
                                  description: Name of the resource being referenced.
                                  type: string
                                namespace:
                                  description: Namespace of the referenced resource.
                                    Should be empty for the cluster-scoped resources
                                  type: string
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        deny:
                          description: Deny defines conditions used to pass or fail
                            a validation rule.
                          properties:
                            conditions:
                              description: 'Multiple conditions can be declared under
                                an `any` or `all` statement. A direct list of conditions
                                (without `any` or `all` statements) is also supported
                                for backwards compatibility See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
                              properties:
                                all:
                                  description: AllConditions enable variable-based
                                    conditional rule execution. This is useful for
                                    finer control of when an rule is applied. A condition
                                    can reference object data using JMESPath notation.
                                    Here, all of the conditions need to pass.
                                  items:
                                    properties:
                                      key:
                                        description: Key is the context entry (using
                                          JMESPath) for conditional rule evaluation.
                                        x-kubernetes-preserve-unknown-fields: true
                                      message:
                                        description: Message is an optional display
                                          message
                                        type: string
                                      operator:
                                        description: 'Operator is the conditional
                                          operation to perform. Valid operators are:
                                          Equals, NotEquals, In, AnyIn, AllIn, NotIn,
                                          AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                          GreaterThan, LessThanOrEquals, LessThan,
                                          DurationGreaterThanOrEquals, DurationGreaterThan,
                                          DurationLessThanOrEquals, DurationLessThan'
                                        enum:
                                        - Equals
                                        - NotEquals
                                        - AnyIn
                                        - AllIn
                                        - AnyNotIn
                                        - AllNotIn
                                        - GreaterThanOrEquals
                                        - GreaterThan
                                        - LessThanOrEquals
                                        - LessThan
                                        - DurationGreaterThanOrEquals
                                        - DurationGreaterThan
                                        - DurationLessThanOrEquals
                                        - DurationLessThan
                                        type: string
                                      value:
                                        description: Value is the conditional value,
                                          or set of values. The values can be fixed
                                          set or can be variables declared using JMESPath.
                                        x-kubernetes-preserve-unknown-fields: true
                                    type: object
                                  type: array
                                any:
                                  description: AnyConditions enable variable-based
                                    conditional rule execution. This is useful for
                                    finer control of when an rule is applied. A condition
                                    can reference object data using JMESPath notation.
                                    Here, at least one of the conditions need to pass.
                                  items:
                                    properties:
                                      key:
                                        description: Key is the context entry (using
                                          JMESPath) for conditional rule evaluation.
                                        x-kubernetes-preserve-unknown-fields: true
                                      message:
                                        description: Message is an optional display
                                          message
                                        type: string
                                      operator:
                                        description: 'Operator is the conditional
                                          operation to perform. Valid operators are:
                                          Equals, NotEquals, In, AnyIn, AllIn, NotIn,
                                          AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                          GreaterThan, LessThanOrEquals, LessThan,
                                          DurationGreaterThanOrEquals, DurationGreaterThan,
                                          DurationLessThanOrEquals, DurationLessThan'
                                        enum:
                                        - Equals
                                        - NotEquals
                                        - AnyIn
                                        - AllIn
                                        - AnyNotIn
                                        - AllNotIn
                                        - GreaterThanOrEquals
                                        - GreaterThan
                                        - LessThanOrEquals
                                        - LessThan
                                        - DurationGreaterThanOrEquals
                                        - DurationGreaterThan
                                        - DurationLessThanOrEquals
                                        - DurationLessThan
                                        type: string
                                      value:
                                        description: Value is the conditional value,
                                          or set of values. The values can be fixed
                                          set or can be variables declared using JMESPath.
                                        x-kubernetes-preserve-unknown-fields: true
                                    type: object
                                  type: array
                              type: object
                          type: object
                        foreach:
                          description: ForEach applies validate rules to a list of
                            sub-elements by creating a context for each entry in the
                            list and looping over it to apply the specified logic.
                          items:
                            description: ForEachValidation applies validate rules
                              to a list of sub-elements by creating a context for
                              each entry in the list and looping over it to apply
                              the specified logic.
                            properties:
                              anyPattern:
                                description: AnyPattern specifies list of validation
                                  patterns. At least one of the patterns must be satisfied
                                  for the validation rule to succeed.
                                x-kubernetes-preserve-unknown-fields: true
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: ContextEntry adds variables and data
                                    sources to a rule Context. Either a ConfigMap
                                    reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: APICall is an HTTP request to the
                                        Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context
                                        with the name for the context entry.
                                      properties:
                                        data:
                                          description: Data specifies the POST data
                                            sent to the server.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the JSON response returned from the server.
                                            For example a JMESPath of "items | length(@)"
                                            applied to the API server response for
                                            the URLPath "/apis/apps/v1/deployments"
                                            will return the total count of deployments
                                            across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST).
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: Service is an API call to a
                                            JSON web service
                                          properties:
                                            caBundle:
                                              description: CABundle is a PEM encoded
                                                CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: URL is the JSON web service
                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: URLPath is the URL path to
                                            be used in the HTTP GET or POST request
                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
                                            or  "/apis/apps/v1/deployments"). The
                                            format required is the same format used
                                            by the `kubectl get --raw` command. See
                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    imageRegistry:
                                      description: ImageRegistry defines requests
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry
                                              type: boolean
                                            providers:
                                              description: 'Providers specifies a
                                                list of OCI Registry names, whose
                                                authentication providers are provided
                                                It can be of one of these values:
                                                AWS, ACR, GCP, GHCR'
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: Secrets specifies a list
                                                of secrets that are provided for credentials
                                                Secrets must live in the Kyverno namespace
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the ImageData struct returned as a result
                                            of processing the image reference.
                                          type: string
                                        reference:
                                          description: 'Reference is image reference
                                            to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest'
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: Default is an optional arbitrary
                                            JSON object that the variable may take
                                            if the JMESPath expression evaluates to
                                            nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: JMESPath is an optional JMESPath
                                            Expression that can be used to transform
                                            the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              deny:
                                description: Deny defines conditions used to pass
                                  or fail a validation rule.
                                properties:
                                  conditions:
                                    description: 'Multiple conditions can be declared
                                      under an `any` or `all` statement. A direct
                                      list of conditions (without `any` or `all` statements)
                                      is also supported for backwards compatibility
                                      but will be deprecated in the next major release.
                                      See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              elementScope:
                                description: ElementScope specifies whether to use
                                  the current list element as the scope for validation.
                                  Defaults to "true" if not specified. When set to
                                  "false", "request.object" is used as the validation
                                  scope within the foreach block to allow referencing
                                  other elements in the subtree.
                                type: boolean
                              foreach:
                                description: Foreach declares a nested foreach iterator
                                x-kubernetes-preserve-unknown-fields: true
                              list:
                                description: List specifies a JMESPath expression
                                  that results in one or more elements to which the
                                  validation logic is applied.
                                type: string
                              pattern:
                                description: Pattern specifies an overlay-style pattern
                                  used to check resources.
                                x-kubernetes-preserve-unknown-fields: true
                              preconditions:
                                description: 'AnyAllConditions are used to determine
                                  if a policy rule should be applied by evaluating
                                  a set of conditions. The declaration can contain
                                  nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
                                properties:
                                  all:
                                    description: AllConditions enable variable-based
                                      conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A
                                      condition can reference object data using JMESPath
                                      notation. Here, all of the conditions need to
                                      pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: 'Operator is the conditional
                                            operation to perform. Valid operators
                                            are: Equals, NotEquals, In, AnyIn, AllIn,
                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan,
                                            DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan'
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: Value is the conditional value,
                                            or set of values. The values can be fixed
                                            set or can be variables declared using
                                            JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                  any:
                                    description: AnyConditions enable variable-based
                                      conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A
                                      condition can reference object data using JMESPath
                                      notation. Here, at least one of the conditions
                                      need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: 'Operator is the conditional
                                            operation to perform. Valid operators
                                            are: Equals, NotEquals, In, AnyIn, AllIn,
                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan,
                                            DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan'
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: Value is the conditional value,
                                            or set of values. The values can be fixed
                                            set or can be variables declared using
                                            JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                type: object
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                        manifests:
                          description: Manifest specifies conditions for manifest
                            verification
                          properties:
                            annotationDomain:
                              description: AnnotationDomain is custom domain of annotation
                                for message and signature. Default is "cosign.sigstore.dev".
                              type: string
                            attestors:
                              description: Attestors specified the required attestors
                                (i.e. authorities)
                              items:
                                properties:
                                  count:
                                    description: Count specifies the required number
                                      of entries that must match. If the count is
                                      null, all entries must match (a logical AND).
                                      If the count is 1, at least one entry must match
                                      (a logical OR). If the count contains a value
                                      N, then N must be less than or equal to the
                                      size of entries, and at least N entries must
                                      match.
                                    minimum: 1
                                    type: integer
                                  entries:
                                    description: Entries contains the available attestors.
                                      An attestor can be a static key, attributes
                                      for keyless verification, or a nested attestor
                                      declaration.
                                    items:
                                      properties:
                                        annotations:
                                          additionalProperties:
                                            type: string
                                          description: Annotations are used for image
                                            verification. Every specified key-value
                                            pair must exist and match in the verified
                                            payload. The payload may contain other
                                            key-value pairs.
                                          type: object
                                        attestor:
                                          description: Attestor is a nested AttestorSet
                                            used to specify a more complex set of
                                            match authorities
                                          x-kubernetes-preserve-unknown-fields: true
                                        certificates:
                                          description: Certificates specifies one
                                            or more certificates
                                          properties:
                                            cert:
                                              description: Certificate is an optional
                                                PEM encoded public certificate.
                                              type: string
                                            certChain:
                                              description: CertificateChain is an
                                                optional PEM encoded set of certificates
                                                used to verify
                                              type: string
                                            rekor:
                                              description: Rekor provides configuration
                                                for the Rekor transparency log service.
                                                If the value is nil, Rekor is not
                                                checked. If an empty object is provided
                                                the public instance of Rekor (https://rekor.sigstore.dev)
                                                is used.
                                              properties:
                                                ignoreSCT:
                                                  description: IgnoreSCT requires
                                                    that a certificate contain an
                                                    embedded SCT during verification.
                                                    An SCT is proof of inclusion in
                                                    a certificate transparency log.
                                                  type: boolean
                                                ignoreTlog:
                                                  description: IgnoreTlog skip tlog
                                                    verification
                                                  type: boolean
                                                pubkey:
                                                  description: RekorPubKey is an optional
                                                    PEM encoded public key to use
                                                    for a custom Rekor. If set, is
                                                    used to validate signatures on
                                                    log entries from Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public log https://rekor.sigstore.dev.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                          type: object
                                        keyless:
                                          description: Keyless is a set of attribute
                                            used to verify a Sigstore keyless attestor.
                                            See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                          properties:
                                            additionalExtensions:
                                              additionalProperties:
                                                type: string
                                              description: AdditionalExtensions are
                                                certificate-extensions used for keyless
                                                signing.
                                              type: object
                                            issuer:
                                              description: Issuer is the certificate
                                                issuer used for keyless signing.
                                              type: string
                                            rekor:
                                              description: Rekor provides configuration
                                                for the Rekor transparency log service.
                                                If the value is nil, Rekor is not
                                                checked and a root certificate chain
                                                is expected instead. If an empty object
                                                is provided the public instance of
                                                Rekor (https://rekor.sigstore.dev)
                                                is used.
                                              properties:
                                                ignoreSCT:
                                                  description: IgnoreSCT requires
                                                    that a certificate contain an
                                                    embedded SCT during verification.
                                                    An SCT is proof of inclusion in
                                                    a certificate transparency log.
                                                  type: boolean
                                                ignoreTlog:
                                                  description: IgnoreTlog skip tlog
                                                    verification
                                                  type: boolean
                                                pubkey:
                                                  description: RekorPubKey is an optional
                                                    PEM encoded public key to use
                                                    for a custom Rekor. If set, is
                                                    used to validate signatures on
                                                    log entries from Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public log https://rekor.sigstore.dev.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            roots:
                                              description: Roots is an optional set
                                                of PEM encoded trusted root certificates.
                                                If not provided, the system roots
                                                are used.
                                              type: string
                                            subject:
                                              description: Subject is the verified
                                                identity used for keyless signing,
                                                for example the email address
                                              type: string
                                          type: object
                                        keys:
                                          description: Keys specifies one or more
                                            public keys
                                          properties:
                                            kms:
                                              description: 'KMS provides the URI to
                                                the public key stored in a Key Management
                                                System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                              type: string
                                            publicKeys:
                                              description: Keys is a set of X.509
                                                public keys used to verify image signatures.
                                                The keys can be directly specified
                                                or can be a variable reference to
                                                a key specified in a ConfigMap (see
                                                https://kyverno.io/docs/writing-policies/variables/),
                                                or reference a standard Kubernetes
                                                Secret elsewhere in the cluster by
                                                specifying it in the format "k8s://<namespace>/<secret_name>".
                                                The named Secret must specify a key
                                                `cosign.pub` containing the public
                                                key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                When multiple keys are specified each
                                                key is processed as a separate staticKey
                                                entry (.attestors[*].entries.keys)
                                                within the set of attestors and the
                                                count is applied across the keys.
                                              type: string
                                            rekor:
                                              description: Rekor provides configuration
                                                for the Rekor transparency log service.
                                                If the value is nil, or an empty object
                                                is provided, the public instance of
                                                Rekor (https://rekor.sigstore.dev)
                                                is used.
                                              properties:
                                                ignoreSCT:
                                                  description: IgnoreSCT requires
                                                    that a certificate contain an
                                                    embedded SCT during verification.
                                                    An SCT is proof of inclusion in
                                                    a certificate transparency log.
                                                  type: boolean
                                                ignoreTlog:
                                                  description: IgnoreTlog skip tlog
                                                    verification
                                                  type: boolean
                                                pubkey:
                                                  description: RekorPubKey is an optional
                                                    PEM encoded public key to use
                                                    for a custom Rekor. If set, is
                                                    used to validate signatures on
                                                    log entries from Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public log https://rekor.sigstore.dev.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            secret:
                                              description: Reference to a Secret resource
                                                that contains a public key
                                              properties:
                                                name:
                                                  description: Name of the secret.
                                                    The provided secret must contain
                                                    a key named cosign.pub.
                                                  type: string
                                                namespace:
                                                  description: Namespace name where
                                                    the Secret exists.
                                                  type: string
                                              required:
                                              - name
                                              - namespace
                                              type: object
                                            signatureAlgorithm:
                                              default: sha256
                                              description: Specify signature algorithm
                                                for public keys. Supported values
                                                are sha256 and sha512
                                              type: string
                                          type: object
                                        repository:
                                          description: Repository is an optional alternate
                                            OCI repository to use for signatures and
                                            attestations that match this rule. If
                                            specified Repository will override other
                                            OCI image repository locations for this
                                            Attestor.
                                          type: string
                                      type: object
                                    type: array
                                type: object
                              type: array
                            dryRun:
                              description: DryRun configuration
                              properties:
                                enable:
                                  type: boolean
                                namespace:
                                  type: string
                              type: object
                            ignoreFields:
                              description: Fields which will be ignored while comparing
                                manifests.
                              items:
                                properties:
                                  fields:
                                    items:
                                      type: string
                                    type: array
                                  objects:
                                    items:
                                      properties:
                                        group:
                                          type: string
                                        kind:
                                          type: string
                                        name:
                                          type: string
                                        namespace:
                                          type: string
                                        version:
                                          type: string
                                      type: object
                                    type: array
                                type: object
                              type: array
                            repository:
                              description: Repository is an optional alternate OCI
                                repository to use for resource bundle reference. The
                                repository can be overridden per Attestor or Attestation.
                              type: string
                          type: object
                        message:
                          description: Message specifies a custom message to be displayed
                            on failure.
                          type: string
                        pattern:
                          description: Pattern specifies an overlay-style pattern
                            used to check resources.
                          x-kubernetes-preserve-unknown-fields: true
                        podSecurity:
                          description: PodSecurity applies exemptions for Kubernetes
                            Pod Security admission by specifying exclusions for Pod
                            Security Standards controls.
                          properties:
                            exclude:
                              description: Exclude specifies the Pod Security Standard
                                controls to be excluded.
                              items:
                                description: PodSecurityStandard specifies the Pod
                                  Security Standard controls to be excluded.
                                properties:
                                  controlName:
                                    description: 'ControlName specifies the name of
                                      the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
                                    enum:
                                    - HostProcess
                                    - Host Namespaces
                                    - Privileged Containers
                                    - Capabilities
                                    - HostPath Volumes
                                    - Host Ports
                                    - AppArmor
                                    - SELinux
                                    - /proc Mount Type
                                    - Seccomp
                                    - Sysctls
                                    - Volume Types
                                    - Privilege Escalation
                                    - Running as Non-root
                                    - Running as Non-root user
                                    type: string
                                  images:
                                    description: 'Images selects matching containers
                                      and applies the container level PSS. Each image
                                      is the image name consisting of the registry
                                      address, repository, image, and tag. Empty list
                                      matches no containers, PSS checks are applied
                                      at the pod level only. Wildcards (''*'' and
                                      ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
                                    items:
                                      type: string
                                    type: array
                                required:
                                - controlName
                                type: object
                              type: array
                            level:
                              description: Level defines the Pod Security Standard
                                level to be applied to workloads. Allowed values are
                                privileged, baseline, and restricted.
                              enum:
                              - privileged
                              - baseline
                              - restricted
                              type: string
                            version:
                              description: Version defines the Pod Security Standard
                                versions that Kubernetes supports. Allowed values
                                are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
                                v1.26, latest. Defaults to latest.
                              enum:
                              - v1.19
                              - v1.20
                              - v1.21
                              - v1.22
                              - v1.23
                              - v1.24
                              - v1.25
                              - v1.26
                              - latest
                              type: string
                          type: object
                      type: object
                    verifyImages:
                      description: VerifyImages is used to verify image signatures
                        and mutate them to add a digest
                      items:
                        description: ImageVerification validates that images that
                          match the specified pattern are signed with the supplied
                          public key. Once the image is verified it is mutated to
                          include the SHA digest retrieved during the registration.
                        properties:
                          attestations:
                            description: Attestations are optional checks for signed
                              in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
                              Kyverno fetches signed attestations from the OCI registry
                              and decodes them into a list of Statement declarations.
                            items:
                              description: Attestation are checks for signed in-toto
                                Statements that are used to verify the image. See
                                https://github.com/in-toto/attestation. Kyverno fetches
                                signed attestations from the OCI registry and decodes
                                them into a list of Statements.
                              properties:
                                attestors:
                                  description: Attestors specify the required attestors
                                    (i.e. authorities)
                                  items:
                                    properties:
                                      count:
                                        description: Count specifies the required
                                          number of entries that must match. If the
                                          count is null, all entries must match (a
                                          logical AND). If the count is 1, at least
                                          one entry must match (a logical OR). If
                                          the count contains a value N, then N must
                                          be less than or equal to the size of entries,
                                          and at least N entries must match.
                                        minimum: 1
                                        type: integer
                                      entries:
                                        description: Entries contains the available
                                          attestors. An attestor can be a static key,
                                          attributes for keyless verification, or
                                          a nested attestor declaration.
                                        items:
                                          properties:
                                            annotations:
                                              additionalProperties:
                                                type: string
                                              description: Annotations are used for
                                                image verification. Every specified
                                                key-value pair must exist and match
                                                in the verified payload. The payload
                                                may contain other key-value pairs.
                                              type: object
                                            attestor:
                                              description: Attestor is a nested AttestorSet
                                                used to specify a more complex set
                                                of match authorities
                                              x-kubernetes-preserve-unknown-fields: true
                                            certificates:
                                              description: Certificates specifies
                                                one or more certificates
                                              properties:
                                                cert:
                                                  description: Certificate is an optional
                                                    PEM encoded public certificate.
                                                  type: string
                                                certChain:
                                                  description: CertificateChain is
                                                    an optional PEM encoded set of
                                                    certificates used to verify
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    Rekor is not checked. If an empty
                                                    object is provided the public
                                                    instance of Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                              type: object
                                            keyless:
                                              description: Keyless is a set of attribute
                                                used to verify a Sigstore keyless
                                                attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                              properties:
                                                additionalExtensions:
                                                  additionalProperties:
                                                    type: string
                                                  description: AdditionalExtensions
                                                    are certificate-extensions used
                                                    for keyless signing.
                                                  type: object
                                                issuer:
                                                  description: Issuer is the certificate
                                                    issuer used for keyless signing.
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    Rekor is not checked and a root
                                                    certificate chain is expected
                                                    instead. If an empty object is
                                                    provided the public instance of
                                                    Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                                roots:
                                                  description: Roots is an optional
                                                    set of PEM encoded trusted root
                                                    certificates. If not provided,
                                                    the system roots are used.
                                                  type: string
                                                subject:
                                                  description: Subject is the verified
                                                    identity used for keyless signing,
                                                    for example the email address
                                                  type: string
                                              type: object
                                            keys:
                                              description: Keys specifies one or more
                                                public keys
                                              properties:
                                                kms:
                                                  description: 'KMS provides the URI
                                                    to the public key stored in a
                                                    Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                                  type: string
                                                publicKeys:
                                                  description: Keys is a set of X.509
                                                    public keys used to verify image
                                                    signatures. The keys can be directly
                                                    specified or can be a variable
                                                    reference to a key specified in
                                                    a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
                                                    or reference a standard Kubernetes
                                                    Secret elsewhere in the cluster
                                                    by specifying it in the format
                                                    "k8s://<namespace>/<secret_name>".
                                                    The named Secret must specify
                                                    a key `cosign.pub` containing
                                                    the public key used for verification,
                                                    (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                    When multiple keys are specified
                                                    each key is processed as a separate
                                                    staticKey entry (.attestors[*].entries.keys)
                                                    within the set of attestors and
                                                    the count is applied across the
                                                    keys.
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    or an empty object is provided,
                                                    the public instance of Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                                secret:
                                                  description: Reference to a Secret
                                                    resource that contains a public
                                                    key
                                                  properties:
                                                    name:
                                                      description: Name of the secret.
                                                        The provided secret must contain
                                                        a key named cosign.pub.
                                                      type: string
                                                    namespace:
                                                      description: Namespace name
                                                        where the Secret exists.
                                                      type: string
                                                  required:
                                                  - name
                                                  - namespace
                                                  type: object
                                                signatureAlgorithm:
                                                  default: sha256
                                                  description: Specify signature algorithm
                                                    for public keys. Supported values
                                                    are sha256 and sha512
                                                  type: string
                                              type: object
                                            repository:
                                              description: Repository is an optional
                                                alternate OCI repository to use for
                                                signatures and attestations that match
                                                this rule. If specified Repository
                                                will override other OCI image repository
                                                locations for this Attestor.
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                conditions:
                                  description: Conditions are used to verify attributes
                                    within a Predicate. If no Conditions are specified
                                    the attestation check is satisfied as long there
                                    are predicates that match the predicate type.
                                  items:
                                    description: AnyAllConditions consists of conditions
                                      wrapped denoting a logical criteria to be fulfilled.
                                      AnyConditions get fulfilled when at least one
                                      of its sub-conditions passes. AllConditions
                                      get fulfilled only when all of its sub-conditions
                                      pass.
                                    properties:
                                      all:
                                        description: AllConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, all of the conditions
                                          need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: AnyConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, at least one of
                                          the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                predicateType:
                                  description: PredicateType defines the type of Predicate
                                    contained within the Statement. Deprecated in
                                    favour of 'Type', to be removed soon
                                  type: string
                                type:
                                  description: Type defines the type of attestation
                                    contained within the Statement.
                                  type: string
                              type: object
                            type: array
                          attestors:
                            description: Attestors specified the required attestors
                              (i.e. authorities)
                            items:
                              properties:
                                count:
                                  description: Count specifies the required number
                                    of entries that must match. If the count is null,
                                    all entries must match (a logical AND). If the
                                    count is 1, at least one entry must match (a logical
                                    OR). If the count contains a value N, then N must
                                    be less than or equal to the size of entries,
                                    and at least N entries must match.
                                  minimum: 1
                                  type: integer
                                entries:
                                  description: Entries contains the available attestors.
                                    An attestor can be a static key, attributes for
                                    keyless verification, or a nested attestor declaration.
                                  items:
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: Annotations are used for image
                                          verification. Every specified key-value
                                          pair must exist and match in the verified
                                          payload. The payload may contain other key-value
                                          pairs.
                                        type: object
                                      attestor:
                                        description: Attestor is a nested AttestorSet
                                          used to specify a more complex set of match
                                          authorities
                                        x-kubernetes-preserve-unknown-fields: true
                                      certificates:
                                        description: Certificates specifies one or
                                          more certificates
                                        properties:
                                          cert:
                                            description: Certificate is an optional
                                              PEM encoded public certificate.
                                            type: string
                                          certChain:
                                            description: CertificateChain is an optional
                                              PEM encoded set of certificates used
                                              to verify
                                            type: string
                                          rekor:
                                            description: Rekor provides configuration
                                              for the Rekor transparency log service.
                                              If the value is nil, Rekor is not checked.
                                              If an empty object is provided the public
                                              instance of Rekor (https://rekor.sigstore.dev)
                                              is used.
                                            properties:
                                              ignoreSCT:
                                                description: IgnoreSCT requires that
                                                  a certificate contain an embedded
                                                  SCT during verification. An SCT
                                                  is proof of inclusion in a certificate
                                                  transparency log.
                                                type: boolean
                                              ignoreTlog:
                                                description: IgnoreTlog skip tlog
                                                  verification
                                                type: boolean
                                              pubkey:
                                                description: RekorPubKey is an optional
                                                  PEM encoded public key to use for
                                                  a custom Rekor. If set, is used
                                                  to validate signatures on log entries
                                                  from Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public log https://rekor.sigstore.dev.
                                                type: string
                                            required:
                                            - url
                                            type: object
                                        type: object
                                      keyless:
                                        description: Keyless is a set of attribute
                                          used to verify a Sigstore keyless attestor.
                                          See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                        properties:
                                          additionalExtensions:
                                            additionalProperties:
                                              type: string
                                            description: AdditionalExtensions are
                                              certificate-extensions used for keyless
                                              signing.
                                            type: object
                                          issuer:
                                            description: Issuer is the certificate
                                              issuer used for keyless signing.
                                            type: string
                                          rekor:
                                            description: Rekor provides configuration
                                              for the Rekor transparency log service.
                                              If the value is nil, Rekor is not checked
                                              and a root certificate chain is expected
                                              instead. If an empty object is provided
                                              the public instance of Rekor (https://rekor.sigstore.dev)
                                              is used.
                                            properties:
                                              ignoreSCT:
                                                description: IgnoreSCT requires that
                                                  a certificate contain an embedded
                                                  SCT during verification. An SCT
                                                  is proof of inclusion in a certificate
                                                  transparency log.
                                                type: boolean
                                              ignoreTlog:
                                                description: IgnoreTlog skip tlog
                                                  verification
                                                type: boolean
                                              pubkey:
                                                description: RekorPubKey is an optional
                                                  PEM encoded public key to use for
                                                  a custom Rekor. If set, is used
                                                  to validate signatures on log entries
                                                  from Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public log https://rekor.sigstore.dev.
                                                type: string
                                            required:
                                            - url
                                            type: object
                                          roots:
                                            description: Roots is an optional set
                                              of PEM encoded trusted root certificates.
                                              If not provided, the system roots are
                                              used.
                                            type: string
                                          subject:
                                            description: Subject is the verified identity
                                              used for keyless signing, for example
                                              the email address
                                            type: string
                                        type: object
                                      keys:
                                        description: Keys specifies one or more public
                                          keys
                                        properties:
                                          kms:
                                            description: 'KMS provides the URI to
                                              the public key stored in a Key Management
                                              System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                            type: string
                                          publicKeys:
                                            description: Keys is a set of X.509 public
                                              keys used to verify image signatures.
                                              The keys can be directly specified or
                                              can be a variable reference to a key
                                              specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
                                              or reference a standard Kubernetes Secret
                                              elsewhere in the cluster by specifying
                                              it in the format "k8s://<namespace>/<secret_name>".
                                              The named Secret must specify a key
                                              `cosign.pub` containing the public key
                                              used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                              When multiple keys are specified each
                                              key is processed as a separate staticKey
                                              entry (.attestors[*].entries.keys) within
                                              the set of attestors and the count is
                                              applied across the keys.
                                            type: string
                                          rekor:
                                            description: Rekor provides configuration
                                              for the Rekor transparency log service.
                                              If the value is nil, or an empty object
                                              is provided, the public instance of
                                              Rekor (https://rekor.sigstore.dev) is
                                              used.
                                            properties:
                                              ignoreSCT:
                                                description: IgnoreSCT requires that
                                                  a certificate contain an embedded
                                                  SCT during verification. An SCT
                                                  is proof of inclusion in a certificate
                                                  transparency log.
                                                type: boolean
                                              ignoreTlog:
                                                description: IgnoreTlog skip tlog
                                                  verification
                                                type: boolean
                                              pubkey:
                                                description: RekorPubKey is an optional
                                                  PEM encoded public key to use for
                                                  a custom Rekor. If set, is used
                                                  to validate signatures on log entries
                                                  from Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public log https://rekor.sigstore.dev.
                                                type: string
                                            required:
                                            - url
                                            type: object
                                          secret:
                                            description: Reference to a Secret resource
                                              that contains a public key
                                            properties:
                                              name:
                                                description: Name of the secret. The
                                                  provided secret must contain a key
                                                  named cosign.pub.
                                                type: string
                                              namespace:
                                                description: Namespace name where
                                                  the Secret exists.
                                                type: string
                                            required:
                                            - name
                                            - namespace
                                            type: object
                                          signatureAlgorithm:
                                            default: sha256
                                            description: Specify signature algorithm
                                              for public keys. Supported values are
                                              sha256 and sha512
                                            type: string
                                        type: object
                                      repository:
                                        description: Repository is an optional alternate
                                          OCI repository to use for signatures and
                                          attestations that match this rule. If specified
                                          Repository will override other OCI image
                                          repository locations for this Attestor.
                                        type: string
                                    type: object
                                  type: array
                              type: object
                            type: array
                          imageReferences:
                            description: 'ImageReferences is a list of matching image
                              reference patterns. At least one pattern in the list
                              must match the image for the rule to apply. Each image
                              reference consists of a registry address (defaults to
                              docker.io), repository, image, and tag (defaults to
                              latest). Wildcards (''*'' and ''?'') are allowed. See:
                              https://kubernetes.io/docs/concepts/containers/images.'
                            items:
                              type: string
                            type: array
                          imageRegistryCredentials:
                            description: ImageRegistryCredentials provides credentials
                              that will be used for authentication with registry
                            properties:
                              allowInsecureRegistry:
                                description: AllowInsecureRegistry allows insecure
                                  access to a registry
                                type: boolean
                              providers:
                                description: 'Providers specifies a list of OCI Registry
                                  names, whose authentication providers are provided
                                  It can be of one of these values: AWS, ACR, GCP,
                                  GHCR'
                                items:
                                  description: ImageRegistryCredentialsProvidersType
                                    provides the list of credential providers required.
                                  enum:
                                  - default
                                  - amazon
                                  - azure
                                  - google
                                  - github
                                  type: string
                                type: array
                              secrets:
                                description: Secrets specifies a list of secrets that
                                  are provided for credentials Secrets must live in
                                  the Kyverno namespace
                                items:
                                  type: string
                                type: array
                            type: object
                          mutateDigest:
                            default: true
                            description: MutateDigest enables replacement of image
                              tags with digests. Defaults to true.
                            type: boolean
                          repository:
                            description: Repository is an optional alternate OCI repository
                              to use for image signatures and attestations that match
                              this rule. If specified Repository will override the
                              default OCI image repository configured for the installation.
                              The repository can also be overridden per Attestor or
                              Attestation.
                            type: string
                          required:
                            default: true
                            description: Required validates that images are verified
                              i.e. have matched passed a signature or attestation
                              check.
                            type: boolean
                          type:
                            description: Type specifies the method of signature validation.
                              The allowed options are Cosign and Notary. By default
                              Cosign is used if a type is not specified.
                            enum:
                            - Cosign
                            - Notary
                            type: string
                          useCache:
                            default: true
                            description: UseCache enables caching of image verify
                              responses for this rule
                            type: boolean
                          verifyDigest:
                            default: true
                            description: VerifyDigest validates that images have a
                              digest.
                            type: boolean
                        type: object
                      type: array
                  required:
                  - name
                  type: object
                type: array
              schemaValidation:
                description: SchemaValidation skips validation checks for policies
                  as well as patched resources. Optional. The default value is set
                  to "true", it must be set to "false" to disable the validation checks.
                type: boolean
              useServerSideApply:
                description: UseServerSideApply controls whether to use server-side
                  apply for generate rules If is set to "true" create & update for
                  generate rules will use apply instead of create/update. Defaults
                  to "false" if not specified.
                type: boolean
              validationFailureAction:
                default: Audit
                description: ValidationFailureAction defines if a validation policy
                  rule violation should block the admission review request (enforce),
                  or allow (audit) the admission review request and report an error
                  in a policy report. Optional. Allowed values are audit or enforce.
                  The default value is "Audit".
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: ValidationFailureActionOverrides is a Cluster Policy
                  attribute that specifies ValidationFailureAction namespace-wise.
                  It overrides ValidationFailureAction for the specified namespaces.
                items:
                  properties:
                    action:
                      description: ValidationFailureAction defines the policy validation
                        failure action
                      enum:
                      - audit
                      - enforce
                      - Audit
                      - Enforce
                      type: string
                    namespaceSelector:
                      description: A label selector is a label query over a set of
                        resources. The result of matchLabels and matchExpressions
                        are ANDed. An empty label selector matches all objects. A
                        null label selector matches no objects.
                      properties:
                        matchExpressions:
                          description: matchExpressions is a list of label selector
                            requirements. The requirements are ANDed.
                          items:
                            description: A label selector requirement is a selector
                              that contains values, a key, and an operator that relates
                              the key and values.
                            properties:
                              key:
                                description: key is the label key that the selector
                                  applies to.
                                type: string
                              operator:
                                description: operator represents a key's relationship
                                  to a set of values. Valid operators are In, NotIn,
                                  Exists and DoesNotExist.
                                type: string
                              values:
                                description: values is an array of string values.
                                  If the operator is In or NotIn, the values array
                                  must be non-empty. If the operator is Exists or
                                  DoesNotExist, the values array must be empty. This
                                  array is replaced during a strategic merge patch.
                                items:
                                  type: string
                                type: array
                            required:
                            - key
                            - operator
                            type: object
                          type: array
                        matchLabels:
                          additionalProperties:
                            type: string
                          description: matchLabels is a map of {key,value} pairs.
                            A single {key,value} in the matchLabels map is equivalent
                            to an element of matchExpressions, whose key field is
                            "key", the operator is "In", and the values array contains
                            only "value". The requirements are ANDed.
                          type: object
                      type: object
                      x-kubernetes-map-type: atomic
                    namespaces:
                      items:
                        type: string
                      type: array
                  type: object
                type: array
              webhookTimeoutSeconds:
                description: WebhookTimeoutSeconds specifies the maximum time in seconds
                  allowed to apply this policy. After the configured time expires,
                  the admission request may fail, or may simply ignore the policy
                  results, based on the failure policy. The default timeout is 10s,
                  the value must be between 1 and 30 seconds.
                format: int32
                type: integer
            type: object
          status:
            description: Status contains policy runtime data.
            properties:
              autogen:
                description: Autogen contains autogen status information
                properties:
                  rules:
                    description: Rules is a list of Rule instances. It contains auto
                      generated rules added for pod controllers
                    items:
                      description: Rule defines a validation, mutation, or generation
                        control for matching resources. Each rules contains a match
                        declaration to select resources, and an optional exclude declaration
                        to specify which resources to exclude.
                      properties:
                        celPreconditions:
                          description: CELPreconditions are used to determine if a
                            policy rule should be applied by evaluating a set of CEL
                            conditions. It can only be used with the validate.cel
                            subrule
                          items:
                            description: MatchCondition represents a condition which
                              must by fulfilled for a request to be sent to a webhook.
                            properties:
                              expression:
                                description: "Expression represents the expression
                                  which will be evaluated by CEL. Must evaluate to
                                  bool. CEL expressions have access to the contents
                                  of the AdmissionRequest and Authorizer, organized
                                  into CEL variables: \n 'object' - The object from
                                  the incoming request. The value is null for DELETE
                                  requests. 'oldObject' - The existing object. The
                                  value is null for CREATE requests. 'request' - Attributes
                                  of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
                                  'authorizer' - A CEL Authorizer. May be used to
                                  perform authorization checks for the principal (user
                                  or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                                  'authorizer.requestResource' - A CEL ResourceCheck
                                  constructed from the 'authorizer' and configured
                                  with the request resource. Documentation on CEL:
                                  https://kubernetes.io/docs/reference/using-api/cel/
                                  \n Required."
                                type: string
                              name:
                                description: "Name is an identifier for this match
                                  condition, used for strategic merging of MatchConditions,
                                  as well as providing an identifier for logging purposes.
                                  A good name should be descriptive of the associated
                                  expression. Name must be a qualified name consisting
                                  of alphanumeric characters, '-', '_' or '.', and
                                  must start and end with an alphanumeric character
                                  (e.g. 'MyName',  or 'my.name',  or '123-abc', regex
                                  used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
                                  with an optional DNS subdomain prefix and '/' (e.g.
                                  'example.com/MyName') \n Required."
                                type: string
                            required:
                            - expression
                            - name
                            type: object
                          type: array
                        context:
                          description: Context defines variables and data sources
                            that can be used during rule execution.
                          items:
                            description: ContextEntry adds variables and data sources
                              to a rule Context. Either a ConfigMap reference or a
                              APILookup must be provided.
                            properties:
                              apiCall:
                                description: APICall is an HTTP request to the Kubernetes
                                  API server, or other JSON web service. The data
                                  returned is stored in the context with the name
                                  for the context entry.
                                properties:
                                  data:
                                    description: Data specifies the POST data sent
                                      to the server.
                                    items:
                                      description: RequestData contains the HTTP POST
                                        data
                                      properties:
                                        key:
                                          description: Key is a unique identifier
                                            for the data value
                                          type: string
                                        value:
                                          description: Value is the data value
                                          x-kubernetes-preserve-unknown-fields: true
                                      required:
                                      - key
                                      - value
                                      type: object
                                    type: array
                                  jmesPath:
                                    description: JMESPath is an optional JSON Match
                                      Expression that can be used to transform the
                                      JSON response returned from the server. For
                                      example a JMESPath of "items | length(@)" applied
                                      to the API server response for the URLPath "/apis/apps/v1/deployments"
                                      will return the total count of deployments across
                                      all namespaces.
                                    type: string
                                  method:
                                    default: GET
                                    description: Method is the HTTP request type (GET
                                      or POST).
                                    enum:
                                    - GET
                                    - POST
                                    type: string
                                  service:
                                    description: Service is an API call to a JSON
                                      web service
                                    properties:
                                      caBundle:
                                        description: CABundle is a PEM encoded CA
                                          bundle which will be used to validate the
                                          server certificate.
                                        type: string
                                      url:
                                        description: URL is the JSON web service URL.
                                          A typical form is `https://{service}.{namespace}:{port}/{path}`.
                                        type: string
                                    required:
                                    - url
                                    type: object
                                  urlPath:
                                    description: URLPath is the URL path to be used
                                      in the HTTP GET or POST request to the Kubernetes
                                      API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                      The format required is the same format used
                                      by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                      for details.
                                    type: string
                                type: object
                              configMap:
                                description: ConfigMap is the ConfigMap reference.
                                properties:
                                  name:
                                    description: Name is the ConfigMap name.
                                    type: string
                                  namespace:
                                    description: Namespace is the ConfigMap namespace.
                                    type: string
                                required:
                                - name
                                type: object
                              imageRegistry:
                                description: ImageRegistry defines requests to an
                                  OCI/Docker V2 registry to fetch image details.
                                properties:
                                  imageRegistryCredentials:
                                    description: ImageRegistryCredentials provides
                                      credentials that will be used for authentication
                                      with registry
                                    properties:
                                      allowInsecureRegistry:
                                        description: AllowInsecureRegistry allows
                                          insecure access to a registry
                                        type: boolean
                                      providers:
                                        description: 'Providers specifies a list of
                                          OCI Registry names, whose authentication
                                          providers are provided It can be of one
                                          of these values: AWS, ACR, GCP, GHCR'
                                        items:
                                          description: ImageRegistryCredentialsProvidersType
                                            provides the list of credential providers
                                            required.
                                          enum:
                                          - default
                                          - amazon
                                          - azure
                                          - google
                                          - github
                                          type: string
                                        type: array
                                      secrets:
                                        description: Secrets specifies a list of secrets
                                          that are provided for credentials Secrets
                                          must live in the Kyverno namespace
                                        items:
                                          type: string
                                        type: array
                                    type: object
                                  jmesPath:
                                    description: JMESPath is an optional JSON Match
                                      Expression that can be used to transform the
                                      ImageData struct returned as a result of processing
                                      the image reference.
                                    type: string
                                  reference:
                                    description: 'Reference is image reference to
                                      a container image in the registry. Example:
                                      ghcr.io/kyverno/kyverno:latest'
                                    type: string
                                required:
                                - reference
                                type: object
                              name:
                                description: Name is the variable name.
                                type: string
                              variable:
                                description: Variable defines an arbitrary JMESPath
                                  context variable that can be defined inline.
                                properties:
                                  default:
                                    description: Default is an optional arbitrary
                                      JSON object that the variable may take if the
                                      JMESPath expression evaluates to nil
                                    x-kubernetes-preserve-unknown-fields: true
                                  jmesPath:
                                    description: JMESPath is an optional JMESPath
                                      Expression that can be used to transform the
                                      variable.
                                    type: string
                                  value:
                                    description: Value is any arbitrary JSON object
                                      representable in YAML or JSON form.
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                            type: object
                          type: array
                        exclude:
                          description: ExcludeResources defines when this policy rule
                            should not be applied. The exclude criteria can include
                            resource information (e.g. kind, name, namespace, labels)
                            and admission review request information like the name
                            or role.
                          properties:
                            all:
                              description: All allows specifying resources which will
                                be ANDed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: Annotations is a  map of annotations
                                          (key-value pairs of type string). Annotation
                                          keys and values support the wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: 'Name is the name of the resource.
                                          The name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character). NOTE: "Name" is
                                          being deprecated in favor of "Names".'
                                        type: string
                                      names:
                                        description: Names are the names of the resources.
                                          Each name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: 'NamespaceSelector is a label
                                          selector for the resource namespace. Label
                                          keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character).Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: Namespaces is a list of namespaces
                                          names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: 'Selector is a label selector.
                                          Label keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character). Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: Subject contains a reference to
                                        the object or user identities a role binding
                                        applies to.  This can either hold a direct
                                        API object reference, or a value for non-objects
                                        such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: APIGroup holds the API group
                                            of the referenced subject. Defaults to
                                            "" for ServiceAccount subjects. Defaults
                                            to "rbac.authorization.k8s.io" for User
                                            and Group subjects.
                                          type: string
                                        kind:
                                          description: Kind of object being referenced.
                                            Values defined by this API group are "User",
                                            "Group", and "ServiceAccount". If the
                                            Authorizer does not recognized the kind
                                            value, the Authorizer should report an
                                            error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: Namespace of the referenced
                                            object.  If the object kind is non-namespace,
                                            such as "User" or "Group", and this value
                                            is not empty the Authorizer should report
                                            an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            any:
                              description: Any allows specifying resources which will
                                be ORed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: Annotations is a  map of annotations
                                          (key-value pairs of type string). Annotation
                                          keys and values support the wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: 'Name is the name of the resource.
                                          The name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character). NOTE: "Name" is
                                          being deprecated in favor of "Names".'
                                        type: string
                                      names:
                                        description: Names are the names of the resources.
                                          Each name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: 'NamespaceSelector is a label
                                          selector for the resource namespace. Label
                                          keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character).Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: Namespaces is a list of namespaces
                                          names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: 'Selector is a label selector.
                                          Label keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character). Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: Subject contains a reference to
                                        the object or user identities a role binding
                                        applies to.  This can either hold a direct
                                        API object reference, or a value for non-objects
                                        such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: APIGroup holds the API group
                                            of the referenced subject. Defaults to
                                            "" for ServiceAccount subjects. Defaults
                                            to "rbac.authorization.k8s.io" for User
                                            and Group subjects.
                                          type: string
                                        kind:
                                          description: Kind of object being referenced.
                                            Values defined by this API group are "User",
                                            "Group", and "ServiceAccount". If the
                                            Authorizer does not recognized the kind
                                            value, the Authorizer should report an
                                            error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: Namespace of the referenced
                                            object.  If the object kind is non-namespace,
                                            such as "User" or "Group", and this value
                                            is not empty the Authorizer should report
                                            an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            clusterRoles:
                              description: ClusterRoles is the list of cluster-wide
                                role names for the user.
                              items:
                                type: string
                              type: array
                            resources:
                              description: ResourceDescription contains information
                                about the resource being created or modified. Requires
                                at least one tag to be specified when under MatchResources.
                                Specifying ResourceDescription directly under match
                                is being deprecated. Please specify under "any" or
                                "all" instead.
                              properties:
                                annotations:
                                  additionalProperties:
                                    type: string
                                  description: Annotations is a  map of annotations
                                    (key-value pairs of type string). Annotation keys
                                    and values support the wildcard characters "*"
                                    (matches zero or many characters) and "?" (matches
                                    at least one character).
                                  type: object
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                name:
                                  description: 'Name is the name of the resource.
                                    The name supports wildcard characters "*" (matches
                                    zero or many characters) and "?" (at least one
                                    character). NOTE: "Name" is being deprecated in
                                    favor of "Names".'
                                  type: string
                                names:
                                  description: Names are the names of the resources.
                                    Each name supports wildcard characters "*" (matches
                                    zero or many characters) and "?" (at least one
                                    character).
                                  items:
                                    type: string
                                  type: array
                                namespaceSelector:
                                  description: 'NamespaceSelector is a label selector
                                    for the resource namespace. Label keys and values
                                    in `matchLabels` support the wildcard characters
                                    `*` (matches zero or many characters) and `?`
                                    (matches one character).Wildcards allows writing
                                    label selectors like ["storage.k8s.io/*": "*"].
                                    Note that using ["*" : "*"] matches any key and
                                    value but does not match an empty label set.'
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: A label selector requirement
                                          is a selector that contains values, a key,
                                          and an operator that relates the key and
                                          values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: operator represents a key's
                                              relationship to a set of values. Valid
                                              operators are In, NotIn, Exists and
                                              DoesNotExist.
                                            type: string
                                          values:
                                            description: values is an array of string
                                              values. If the operator is In or NotIn,
                                              the values array must be non-empty.
                                              If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This
                                              array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: matchLabels is a map of {key,value}
                                        pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions,
                                        whose key field is "key", the operator is
                                        "In", and the values array contains only "value".
                                        The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                                namespaces:
                                  description: Namespaces is a list of namespaces
                                    names. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?"
                                    (at least one character).
                                  items:
                                    type: string
                                  type: array
                                operations:
                                  description: Operations can contain values ["CREATE,
                                    "UPDATE", "CONNECT", "DELETE"], which are used
                                    to match a specific action.
                                  items:
                                    description: AdmissionOperation can have one of
                                      the values CREATE, UPDATE, CONNECT, DELETE,
                                      which are used to match a specific action.
                                    enum:
                                    - CREATE
                                    - CONNECT
                                    - UPDATE
                                    - DELETE
                                    type: string
                                  type: array
                                selector:
                                  description: 'Selector is a label selector. Label
                                    keys and values in `matchLabels` support the wildcard
                                    characters `*` (matches zero or many characters)
                                    and `?` (matches one character). Wildcards allows
                                    writing label selectors like ["storage.k8s.io/*":
                                    "*"]. Note that using ["*" : "*"] matches any
                                    key and value but does not match an empty label
                                    set.'
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: A label selector requirement
                                          is a selector that contains values, a key,
                                          and an operator that relates the key and
                                          values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: operator represents a key's
                                              relationship to a set of values. Valid
                                              operators are In, NotIn, Exists and
                                              DoesNotExist.
                                            type: string
                                          values:
                                            description: values is an array of string
                                              values. If the operator is In or NotIn,
                                              the values array must be non-empty.
                                              If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This
                                              array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: matchLabels is a map of {key,value}
                                        pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions,
                                        whose key field is "key", the operator is
                                        "In", and the values array contains only "value".
                                        The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            roles:
                              description: Roles is the list of namespaced role names
                                for the user.
                              items:
                                type: string
                              type: array
                            subjects:
                              description: Subjects is the list of subject names like
                                users, user groups, and service accounts.
                              items:
                                description: Subject contains a reference to the object
                                  or user identities a role binding applies to.  This
                                  can either hold a direct API object reference, or
                                  a value for non-objects such as user and group names.
                                properties:
                                  apiGroup:
                                    description: APIGroup holds the API group of the
                                      referenced subject. Defaults to "" for ServiceAccount
                                      subjects. Defaults to "rbac.authorization.k8s.io"
                                      for User and Group subjects.
                                    type: string
                                  kind:
                                    description: Kind of object being referenced.
                                      Values defined by this API group are "User",
                                      "Group", and "ServiceAccount". If the Authorizer
                                      does not recognized the kind value, the Authorizer
                                      should report an error.
                                    type: string
                                  name:
                                    description: Name of the object being referenced.
                                    type: string
                                  namespace:
                                    description: Namespace of the referenced object.  If
                                      the object kind is non-namespace, such as "User"
                                      or "Group", and this value is not empty the
                                      Authorizer should report an error.
                                    type: string
                                required:
                                - kind
                                - name
                                type: object
                                x-kubernetes-map-type: atomic
                              type: array
                          type: object
                        generate:
                          description: Generation is used to create new resources.
                          properties:
                            apiVersion:
                              description: APIVersion specifies resource apiVersion.
                              type: string
                            clone:
                              description: Clone specifies the source resource used
                                to populate each generated resource. At most one of
                                Data or Clone can be specified. If neither are provided,
                                the generated resource will be created with default
                                data only.
                              properties:
                                name:
                                  description: Name specifies name of the resource.
                                  type: string
                                namespace:
                                  description: Namespace specifies source resource
                                    namespace.
                                  type: string
                              type: object
                            cloneList:
                              description: CloneList specifies the list of source
                                resource used to populate each generated resource.
                              properties:
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                namespace:
                                  description: Namespace specifies source resource
                                    namespace.
                                  type: string
                                selector:
                                  description: Selector is a label selector. Label
                                    keys and values in `matchLabels`. wildcard characters
                                    are not supported.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: A label selector requirement
                                          is a selector that contains values, a key,
                                          and an operator that relates the key and
                                          values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: operator represents a key's
                                              relationship to a set of values. Valid
                                              operators are In, NotIn, Exists and
                                              DoesNotExist.
                                            type: string
                                          values:
                                            description: values is an array of string
                                              values. If the operator is In or NotIn,
                                              the values array must be non-empty.
                                              If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This
                                              array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: matchLabels is a map of {key,value}
                                        pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions,
                                        whose key field is "key", the operator is
                                        "In", and the values array contains only "value".
                                        The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            data:
                              description: Data provides the resource declaration
                                used to populate each generated resource. At most
                                one of Data or Clone must be specified. If neither
                                are provided, the generated resource will be created
                                with default data only.
                              x-kubernetes-preserve-unknown-fields: true
                            kind:
                              description: Kind specifies resource kind.
                              type: string
                            name:
                              description: Name specifies the resource name.
                              type: string
                            namespace:
                              description: Namespace specifies resource namespace.
                              type: string
                            synchronize:
                              description: Synchronize controls if generated resources
                                should be kept in-sync with their source resource.
                                If Synchronize is set to "true" changes to generated
                                resources will be overwritten with resource data from
                                Data or the resource specified in the Clone declaration.
                                Optional. Defaults to "false" if not specified.
                              type: boolean
                          type: object
                        imageExtractors:
                          additionalProperties:
                            items:
                              properties:
                                jmesPath:
                                  description: 'JMESPath is an optional JMESPath expression
                                    to apply to the image value. This is useful when
                                    the extracted image begins with a prefix like
                                    ''docker://''. The ''trim_prefix'' function may
                                    be used to trim the prefix: trim_prefix(@, ''docker://'').
                                    Note - Image digest mutation may not be used when
                                    applying a JMESPAth to an image.'
                                  type: string
                                key:
                                  description: Key is an optional name of the field
                                    within 'path' that will be used to uniquely identify
                                    an image. Note - this field MUST be unique.
                                  type: string
                                name:
                                  description: Name is the entry the image will be
                                    available under 'images.<name>' in the context.
                                    If this field is not defined, image entries will
                                    appear under 'images.custom'.
                                  type: string
                                path:
                                  description: Path is the path to the object containing
                                    the image field in a custom resource. It should
                                    be slash-separated. Each slash-separated key must
                                    be a valid YAML key or a wildcard '*'. Wildcard
                                    keys are expanded in case of arrays or objects.
                                  type: string
                                value:
                                  description: Value is an optional name of the field
                                    within 'path' that points to the image URI. This
                                    is useful when a custom 'key' is also defined.
                                  type: string
                              required:
                              - path
                              type: object
                            type: array
                          description: ImageExtractors defines a mapping from kinds
                            to ImageExtractorConfigs. This config is only valid for
                            verifyImages rules.
                          type: object
                        match:
                          description: MatchResources defines when this policy rule
                            should be applied. The match criteria can include resource
                            information (e.g. kind, name, namespace, labels) and admission
                            review request information like the user name or role.
                            At least one kind is required.
                          properties:
                            all:
                              description: All allows specifying resources which will
                                be ANDed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: Annotations is a  map of annotations
                                          (key-value pairs of type string). Annotation
                                          keys and values support the wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: 'Name is the name of the resource.
                                          The name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character). NOTE: "Name" is
                                          being deprecated in favor of "Names".'
                                        type: string
                                      names:
                                        description: Names are the names of the resources.
                                          Each name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: 'NamespaceSelector is a label
                                          selector for the resource namespace. Label
                                          keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character).Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: Namespaces is a list of namespaces
                                          names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: 'Selector is a label selector.
                                          Label keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character). Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: Subject contains a reference to
                                        the object or user identities a role binding
                                        applies to.  This can either hold a direct
                                        API object reference, or a value for non-objects
                                        such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: APIGroup holds the API group
                                            of the referenced subject. Defaults to
                                            "" for ServiceAccount subjects. Defaults
                                            to "rbac.authorization.k8s.io" for User
                                            and Group subjects.
                                          type: string
                                        kind:
                                          description: Kind of object being referenced.
                                            Values defined by this API group are "User",
                                            "Group", and "ServiceAccount". If the
                                            Authorizer does not recognized the kind
                                            value, the Authorizer should report an
                                            error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: Namespace of the referenced
                                            object.  If the object kind is non-namespace,
                                            such as "User" or "Group", and this value
                                            is not empty the Authorizer should report
                                            an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            any:
                              description: Any allows specifying resources which will
                                be ORed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: Annotations is a  map of annotations
                                          (key-value pairs of type string). Annotation
                                          keys and values support the wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: 'Name is the name of the resource.
                                          The name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character). NOTE: "Name" is
                                          being deprecated in favor of "Names".'
                                        type: string
                                      names:
                                        description: Names are the names of the resources.
                                          Each name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: 'NamespaceSelector is a label
                                          selector for the resource namespace. Label
                                          keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character).Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: Namespaces is a list of namespaces
                                          names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: 'Selector is a label selector.
                                          Label keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character). Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: Subject contains a reference to
                                        the object or user identities a role binding
                                        applies to.  This can either hold a direct
                                        API object reference, or a value for non-objects
                                        such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: APIGroup holds the API group
                                            of the referenced subject. Defaults to
                                            "" for ServiceAccount subjects. Defaults
                                            to "rbac.authorization.k8s.io" for User
                                            and Group subjects.
                                          type: string
                                        kind:
                                          description: Kind of object being referenced.
                                            Values defined by this API group are "User",
                                            "Group", and "ServiceAccount". If the
                                            Authorizer does not recognized the kind
                                            value, the Authorizer should report an
                                            error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: Namespace of the referenced
                                            object.  If the object kind is non-namespace,
                                            such as "User" or "Group", and this value
                                            is not empty the Authorizer should report
                                            an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            clusterRoles:
                              description: ClusterRoles is the list of cluster-wide
                                role names for the user.
                              items:
                                type: string
                              type: array
                            resources:
                              description: ResourceDescription contains information
                                about the resource being created or modified. Requires
                                at least one tag to be specified when under MatchResources.
                                Specifying ResourceDescription directly under match
                                is being deprecated. Please specify under "any" or
                                "all" instead.
                              properties:
                                annotations:
                                  additionalProperties:
                                    type: string
                                  description: Annotations is a  map of annotations
                                    (key-value pairs of type string). Annotation keys
                                    and values support the wildcard characters "*"
                                    (matches zero or many characters) and "?" (matches
                                    at least one character).
                                  type: object
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                name:
                                  description: 'Name is the name of the resource.
                                    The name supports wildcard characters "*" (matches
                                    zero or many characters) and "?" (at least one
                                    character). NOTE: "Name" is being deprecated in
                                    favor of "Names".'
                                  type: string
                                names:
                                  description: Names are the names of the resources.
                                    Each name supports wildcard characters "*" (matches
                                    zero or many characters) and "?" (at least one
                                    character).
                                  items:
                                    type: string
                                  type: array
                                namespaceSelector:
                                  description: 'NamespaceSelector is a label selector
                                    for the resource namespace. Label keys and values
                                    in `matchLabels` support the wildcard characters
                                    `*` (matches zero or many characters) and `?`
                                    (matches one character).Wildcards allows writing
                                    label selectors like ["storage.k8s.io/*": "*"].
                                    Note that using ["*" : "*"] matches any key and
                                    value but does not match an empty label set.'
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: A label selector requirement
                                          is a selector that contains values, a key,
                                          and an operator that relates the key and
                                          values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: operator represents a key's
                                              relationship to a set of values. Valid
                                              operators are In, NotIn, Exists and
                                              DoesNotExist.
                                            type: string
                                          values:
                                            description: values is an array of string
                                              values. If the operator is In or NotIn,
                                              the values array must be non-empty.
                                              If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This
                                              array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: matchLabels is a map of {key,value}
                                        pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions,
                                        whose key field is "key", the operator is
                                        "In", and the values array contains only "value".
                                        The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                                namespaces:
                                  description: Namespaces is a list of namespaces
                                    names. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?"
                                    (at least one character).
                                  items:
                                    type: string
                                  type: array
                                operations:
                                  description: Operations can contain values ["CREATE,
                                    "UPDATE", "CONNECT", "DELETE"], which are used
                                    to match a specific action.
                                  items:
                                    description: AdmissionOperation can have one of
                                      the values CREATE, UPDATE, CONNECT, DELETE,
                                      which are used to match a specific action.
                                    enum:
                                    - CREATE
                                    - CONNECT
                                    - UPDATE
                                    - DELETE
                                    type: string
                                  type: array
                                selector:
                                  description: 'Selector is a label selector. Label
                                    keys and values in `matchLabels` support the wildcard
                                    characters `*` (matches zero or many characters)
                                    and `?` (matches one character). Wildcards allows
                                    writing label selectors like ["storage.k8s.io/*":
                                    "*"]. Note that using ["*" : "*"] matches any
                                    key and value but does not match an empty label
                                    set.'
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: A label selector requirement
                                          is a selector that contains values, a key,
                                          and an operator that relates the key and
                                          values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: operator represents a key's
                                              relationship to a set of values. Valid
                                              operators are In, NotIn, Exists and
                                              DoesNotExist.
                                            type: string
                                          values:
                                            description: values is an array of string
                                              values. If the operator is In or NotIn,
                                              the values array must be non-empty.
                                              If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This
                                              array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: matchLabels is a map of {key,value}
                                        pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions,
                                        whose key field is "key", the operator is
                                        "In", and the values array contains only "value".
                                        The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            roles:
                              description: Roles is the list of namespaced role names
                                for the user.
                              items:
                                type: string
                              type: array
                            subjects:
                              description: Subjects is the list of subject names like
                                users, user groups, and service accounts.
                              items:
                                description: Subject contains a reference to the object
                                  or user identities a role binding applies to.  This
                                  can either hold a direct API object reference, or
                                  a value for non-objects such as user and group names.
                                properties:
                                  apiGroup:
                                    description: APIGroup holds the API group of the
                                      referenced subject. Defaults to "" for ServiceAccount
                                      subjects. Defaults to "rbac.authorization.k8s.io"
                                      for User and Group subjects.
                                    type: string
                                  kind:
                                    description: Kind of object being referenced.
                                      Values defined by this API group are "User",
                                      "Group", and "ServiceAccount". If the Authorizer
                                      does not recognized the kind value, the Authorizer
                                      should report an error.
                                    type: string
                                  name:
                                    description: Name of the object being referenced.
                                    type: string
                                  namespace:
                                    description: Namespace of the referenced object.  If
                                      the object kind is non-namespace, such as "User"
                                      or "Group", and this value is not empty the
                                      Authorizer should report an error.
                                    type: string
                                required:
                                - kind
                                - name
                                type: object
                                x-kubernetes-map-type: atomic
                              type: array
                          type: object
                        mutate:
                          description: Mutation is used to modify matching resources.
                          properties:
                            foreach:
                              description: ForEach applies mutation rules to a list
                                of sub-elements by creating a context for each entry
                                in the list and looping over it to apply the specified
                                logic.
                              items:
                                description: ForEachMutation applies mutation rules
                                  to a list of sub-elements by creating a context
                                  for each entry in the list and looping over it to
                                  apply the specified logic.
                                properties:
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: ContextEntry adds variables and
                                        data sources to a rule Context. Either a ConfigMap
                                        reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: APICall is an HTTP request
                                            to the Kubernetes API server, or other
                                            JSON web service. The data returned is
                                            stored in the context with the name for
                                            the context entry.
                                          properties:
                                            data:
                                              description: Data specifies the POST
                                                data sent to the server.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the JSON response
                                                returned from the server. For example
                                                a JMESPath of "items | length(@)"
                                                applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments"
                                                will return the total count of deployments
                                                across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST).
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: Service is an API call
                                                to a JSON web service
                                              properties:
                                                caBundle:
                                                  description: CABundle is a PEM encoded
                                                    CA bundle which will be used to
                                                    validate the server certificate.
                                                  type: string
                                                url:
                                                  description: URL is the JSON web
                                                    service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: URLPath is the URL path
                                                to be used in the HTTP GET or POST
                                                request to the Kubernetes API server
                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format
                                                used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        imageRegistry:
                                          description: ImageRegistry defines requests
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry
                                                  type: boolean
                                                providers:
                                                  description: 'Providers specifies
                                                    a list of OCI Registry names,
                                                    whose authentication providers
                                                    are provided It can be of one
                                                    of these values: AWS, ACR, GCP,
                                                    GHCR'
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: Secrets specifies a
                                                    list of secrets that are provided
                                                    for credentials Secrets must live
                                                    in the Kyverno namespace
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the ImageData struct
                                                returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: 'Reference is image reference
                                                to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest'
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: Default is an optional
                                                arbitrary JSON object that the variable
                                                may take if the JMESPath expression
                                                evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JMESPath Expression that can be used
                                                to transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  foreach:
                                    description: Foreach declares a nested foreach
                                      iterator
                                    x-kubernetes-preserve-unknown-fields: true
                                  list:
                                    description: List specifies a JMESPath expression
                                      that results in one or more elements to which
                                      the validation logic is applied.
                                    type: string
                                  order:
                                    description: Order defines the iteration order
                                      on the list. Can be Ascending to iterate from
                                      first to last element or Descending to iterate
                                      in from last to first element.
                                    enum:
                                    - Ascending
                                    - Descending
                                    type: string
                                  patchStrategicMerge:
                                    description: PatchStrategicMerge is a strategic
                                      merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                                    x-kubernetes-preserve-unknown-fields: true
                                  patchesJson6902:
                                    description: PatchesJSON6902 is a list of RFC
                                      6902 JSON Patch declarations used to modify
                                      resources. See https://tools.ietf.org/html/rfc6902
                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                                    type: string
                                  preconditions:
                                    description: 'AnyAllConditions are used to determine
                                      if a policy rule should be applied by evaluating
                                      a set of conditions. The declaration can contain
                                      nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
                                    properties:
                                      all:
                                        description: AllConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, all of the conditions
                                          need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: AnyConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, at least one of
                                          the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              type: array
                            patchStrategicMerge:
                              description: PatchStrategicMerge is a strategic merge
                                patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                              x-kubernetes-preserve-unknown-fields: true
                            patchesJson6902:
                              description: PatchesJSON6902 is a list of RFC 6902 JSON
                                Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                              type: string
                            targets:
                              description: Targets defines the target resources to
                                be mutated.
                              items:
                                description: TargetResourceSpec defines targets for
                                  mutating existing resources.
                                properties:
                                  apiVersion:
                                    description: APIVersion specifies resource apiVersion.
                                    type: string
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: ContextEntry adds variables and
                                        data sources to a rule Context. Either a ConfigMap
                                        reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: APICall is an HTTP request
                                            to the Kubernetes API server, or other
                                            JSON web service. The data returned is
                                            stored in the context with the name for
                                            the context entry.
                                          properties:
                                            data:
                                              description: Data specifies the POST
                                                data sent to the server.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the JSON response
                                                returned from the server. For example
                                                a JMESPath of "items | length(@)"
                                                applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments"
                                                will return the total count of deployments
                                                across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST).
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: Service is an API call
                                                to a JSON web service
                                              properties:
                                                caBundle:
                                                  description: CABundle is a PEM encoded
                                                    CA bundle which will be used to
                                                    validate the server certificate.
                                                  type: string
                                                url:
                                                  description: URL is the JSON web
                                                    service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: URLPath is the URL path
                                                to be used in the HTTP GET or POST
                                                request to the Kubernetes API server
                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format
                                                used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        imageRegistry:
                                          description: ImageRegistry defines requests
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry
                                                  type: boolean
                                                providers:
                                                  description: 'Providers specifies
                                                    a list of OCI Registry names,
                                                    whose authentication providers
                                                    are provided It can be of one
                                                    of these values: AWS, ACR, GCP,
                                                    GHCR'
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: Secrets specifies a
                                                    list of secrets that are provided
                                                    for credentials Secrets must live
                                                    in the Kyverno namespace
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the ImageData struct
                                                returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: 'Reference is image reference
                                                to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest'
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: Default is an optional
                                                arbitrary JSON object that the variable
                                                may take if the JMESPath expression
                                                evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JMESPath Expression that can be used
                                                to transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  kind:
                                    description: Kind specifies resource kind.
                                    type: string
                                  name:
                                    description: Name specifies the resource name.
                                    type: string
                                  namespace:
                                    description: Namespace specifies resource namespace.
                                    type: string
                                  preconditions:
                                    description: 'Preconditions are used to determine
                                      if a policy rule should be applied by evaluating
                                      a set of conditions. The declaration can contain
                                      nested `any` or `all` statements. A direct list
                                      of conditions (without `any` or `all` statements
                                      is supported for backwards compatibility but
                                      will be deprecated in the next major release.
                                      See: https://kyverno.io/docs/writing-policies/preconditions/'
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              type: array
                          type: object
                        name:
                          description: Name is a label to identify the rule, It must
                            be unique within the policy.
                          maxLength: 63
                          type: string
                        preconditions:
                          description: 'Preconditions are used to determine if a policy
                            rule should be applied by evaluating a set of conditions.
                            The declaration can contain nested `any` or `all` statements.
                            A direct list of conditions (without `any` or `all` statements
                            is supported for backwards compatibility but will be deprecated
                            in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
                          x-kubernetes-preserve-unknown-fields: true
                        validate:
                          description: Validation is used to validate matching resources.
                          properties:
                            anyPattern:
                              description: AnyPattern specifies list of validation
                                patterns. At least one of the patterns must be satisfied
                                for the validation rule to succeed.
                              x-kubernetes-preserve-unknown-fields: true
                            cel:
                              description: CEL allows validation checks using the
                                Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
                              properties:
                                auditAnnotations:
                                  description: AuditAnnotations contains CEL expressions
                                    which are used to produce audit annotations for
                                    the audit event of the API request.
                                  items:
                                    description: AuditAnnotation describes how to
                                      produce an audit annotation for an API request.
                                    properties:
                                      key:
                                        description: "key specifies the audit annotation
                                          key. The audit annotation keys of a ValidatingAdmissionPolicy
                                          must be unique. The key must be a qualified
                                          name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more
                                          than 63 bytes in length. \n The key is combined
                                          with the resource name of the ValidatingAdmissionPolicy
                                          to construct an audit annotation key: \"{ValidatingAdmissionPolicy
                                          name}/{key}\". \n If an admission webhook
                                          uses the same resource name as this ValidatingAdmissionPolicy
                                          and the same audit annotation key, the annotation
                                          key will be identical. In this case, the
                                          first annotation written with the key will
                                          be included in the audit event and all subsequent
                                          annotations with the same key will be discarded.
                                          \n Required."
                                        type: string
                                      valueExpression:
                                        description: "valueExpression represents the
                                          expression which is evaluated by CEL to
                                          produce an audit annotation value. The expression
                                          must evaluate to either a string or null
                                          value. If the expression evaluates to a
                                          string, the audit annotation is included
                                          with the string value. If the expression
                                          evaluates to null or empty string the audit
                                          annotation will be omitted. The valueExpression
                                          may be no longer than 5kb in length. If
                                          the result of the valueExpression is more
                                          than 10kb in length, it will be truncated
                                          to 10kb. \n If multiple ValidatingAdmissionPolicyBinding
                                          resources match an API request, then the
                                          valueExpression will be evaluated for each
                                          binding. All unique values produced by the
                                          valueExpressions will be joined together
                                          in a comma-separated list. \n Required."
                                        type: string
                                    required:
                                    - key
                                    - valueExpression
                                    type: object
                                  type: array
                                expressions:
                                  description: Expressions is a list of CELExpression
                                    types.
                                  items:
                                    description: Validation specifies the CEL expression
                                      which is used to apply the validation.
                                    properties:
                                      expression:
                                        description: "Expression represents the expression
                                          which will be evaluated by CEL. ref: https://github.com/google/cel-spec
                                          CEL expressions have access to the contents
                                          of the API request/response, organized into
                                          CEL variables as well as some other useful
                                          variables: \n - 'object' - The object from
                                          the incoming request. The value is null
                                          for DELETE requests. - 'oldObject' - The
                                          existing object. The value is null for CREATE
                                          requests. - 'request' - Attributes of the
                                          API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
                                          - 'params' - Parameter resource referred
                                          to by the policy binding being evaluated.
                                          Only populated if the policy has a ParamKind.
                                          - 'authorizer' - A CEL Authorizer. May be
                                          used to perform authorization checks for
                                          the principal (user or service account)
                                          of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                                          - 'authorizer.requestResource' - A CEL ResourceCheck
                                          constructed from the 'authorizer' and configured
                                          with the request resource. \n The `apiVersion`,
                                          `kind`, `metadata.name` and `metadata.generateName`
                                          are always accessible from the root of the
                                          object. No other metadata properties are
                                          accessible. \n Only property names of the
                                          form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are
                                          accessible. Accessible property names are
                                          escaped according to the following rules
                                          when accessed in the expression: - '__'
                                          escapes to '__underscores__' - '.' escapes
                                          to '__dot__' - '-' escapes to '__dash__'
                                          - '/' escapes to '__slash__' - Property
                                          names that exactly match a CEL RESERVED
                                          keyword escape to '__{keyword}__'. The keywords
                                          are: \"true\", \"false\", \"null\", \"in\",
                                          \"as\", \"break\", \"const\", \"continue\",
                                          \"else\", \"for\", \"function\", \"if\",
                                          \"import\", \"let\", \"loop\", \"package\",
                                          \"namespace\", \"return\". Examples: - Expression
                                          accessing a property named \"namespace\":
                                          {\"Expression\": \"object.__namespace__
                                          > 0\"} - Expression accessing a property
                                          named \"x-prop\": {\"Expression\": \"object.x__dash__prop
                                          > 0\"} - Expression accessing a property
                                          named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
                                          > 0\"} \n Equality on arrays with list type
                                          of 'set' or 'map' ignores element order,
                                          i.e. [1, 2] == [2, 1]. Concatenation on
                                          arrays with x-kubernetes-list-type use the
                                          semantics of the list type: - 'set': `X
                                          + Y` performs a union where the array positions
                                          of all elements in `X` are preserved and
                                          non-intersecting elements in `Y` are appended,
                                          retaining their partial order. - 'map':
                                          `X + Y` performs a merge where the array
                                          positions of all keys in `X` are preserved
                                          but the values are overwritten by values
                                          in `Y` when the key sets of `X` and `Y`
                                          intersect. Elements in `Y` with non-intersecting
                                          keys are appended, retaining their partial
                                          order. Required."
                                        type: string
                                      message:
                                        description: 'Message represents the message
                                          displayed when validation fails. The message
                                          is required if the Expression contains line
                                          breaks. The message must not contain line
                                          breaks. If unset, the message is "failed
                                          rule: {Rule}". e.g. "must be a URL with
                                          the host matching spec.host" If the Expression
                                          contains line breaks. Message is required.
                                          The message must not contain line breaks.
                                          If unset, the message is "failed Expression:
                                          {Expression}".'
                                        type: string
                                      messageExpression:
                                        description: 'messageExpression declares a
                                          CEL expression that evaluates to the validation
                                          failure message that is returned when this
                                          rule fails. Since messageExpression is used
                                          as a failure message, it must evaluate to
                                          a string. If both message and messageExpression
                                          are present on a validation, then messageExpression
                                          will be used if validation fails. If messageExpression
                                          results in a runtime error, the runtime
                                          error is logged, and the validation failure
                                          message is produced as if the messageExpression
                                          field were unset. If messageExpression evaluates
                                          to an empty string, a string with only spaces,
                                          or a string that contains line breaks, then
                                          the validation failure message will also
                                          be produced as if the messageExpression
                                          field were unset, and the fact that messageExpression
                                          produced an empty string/string with only
                                          spaces/string with line breaks will be logged.
                                          messageExpression has access to all the
                                          same variables as the `expression` except
                                          for ''authorizer'' and ''authorizer.requestResource''.
                                          Example: "object.x must be less than max
                                          ("+string(params.max)+")"'
                                        type: string
                                      reason:
                                        description: 'Reason represents a machine-readable
                                          description of why this validation failed.
                                          If this is the first validation in the list
                                          to fail, this reason, as well as the corresponding
                                          HTTP response code, are used in the HTTP
                                          response to the client. The currently supported
                                          reasons are: "Unauthorized", "Forbidden",
                                          "Invalid", "RequestEntityTooLarge". If not
                                          set, StatusReasonInvalid is used in the
                                          response to the client.'
                                        type: string
                                    required:
                                    - expression
                                    type: object
                                  type: array
                                paramKind:
                                  description: ParamKind is a tuple of Group Kind
                                    and Version.
                                  properties:
                                    apiVersion:
                                      description: APIVersion is the API group version
                                        the resources belong to. In format of "group/version".
                                        Required.
                                      type: string
                                    kind:
                                      description: Kind is the API kind the resources
                                        belong to. Required.
                                      type: string
                                  type: object
                                  x-kubernetes-map-type: atomic
                                paramRef:
                                  description: ParamRef references a parameter resource.
                                  properties:
                                    name:
                                      description: Name of the resource being referenced.
                                      type: string
                                    namespace:
                                      description: Namespace of the referenced resource.
                                        Should be empty for the cluster-scoped resources
                                      type: string
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            deny:
                              description: Deny defines conditions used to pass or
                                fail a validation rule.
                              properties:
                                conditions:
                                  description: 'Multiple conditions can be declared
                                    under an `any` or `all` statement. A direct list
                                    of conditions (without `any` or `all` statements)
                                    is also supported for backwards compatibility
                                    but will be deprecated in the next major release.
                                    See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
                                  x-kubernetes-preserve-unknown-fields: true
                              type: object
                            foreach:
                              description: ForEach applies validate rules to a list
                                of sub-elements by creating a context for each entry
                                in the list and looping over it to apply the specified
                                logic.
                              items:
                                description: ForEachValidation applies validate rules
                                  to a list of sub-elements by creating a context
                                  for each entry in the list and looping over it to
                                  apply the specified logic.
                                properties:
                                  anyPattern:
                                    description: AnyPattern specifies list of validation
                                      patterns. At least one of the patterns must
                                      be satisfied for the validation rule to succeed.
                                    x-kubernetes-preserve-unknown-fields: true
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: ContextEntry adds variables and
                                        data sources to a rule Context. Either a ConfigMap
                                        reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: APICall is an HTTP request
                                            to the Kubernetes API server, or other
                                            JSON web service. The data returned is
                                            stored in the context with the name for
                                            the context entry.
                                          properties:
                                            data:
                                              description: Data specifies the POST
                                                data sent to the server.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the JSON response
                                                returned from the server. For example
                                                a JMESPath of "items | length(@)"
                                                applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments"
                                                will return the total count of deployments
                                                across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST).
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: Service is an API call
                                                to a JSON web service
                                              properties:
                                                caBundle:
                                                  description: CABundle is a PEM encoded
                                                    CA bundle which will be used to
                                                    validate the server certificate.
                                                  type: string
                                                url:
                                                  description: URL is the JSON web
                                                    service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: URLPath is the URL path
                                                to be used in the HTTP GET or POST
                                                request to the Kubernetes API server
                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format
                                                used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        imageRegistry:
                                          description: ImageRegistry defines requests
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry
                                                  type: boolean
                                                providers:
                                                  description: 'Providers specifies
                                                    a list of OCI Registry names,
                                                    whose authentication providers
                                                    are provided It can be of one
                                                    of these values: AWS, ACR, GCP,
                                                    GHCR'
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: Secrets specifies a
                                                    list of secrets that are provided
                                                    for credentials Secrets must live
                                                    in the Kyverno namespace
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the ImageData struct
                                                returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: 'Reference is image reference
                                                to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest'
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: Default is an optional
                                                arbitrary JSON object that the variable
                                                may take if the JMESPath expression
                                                evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JMESPath Expression that can be used
                                                to transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  deny:
                                    description: Deny defines conditions used to pass
                                      or fail a validation rule.
                                    properties:
                                      conditions:
                                        description: 'Multiple conditions can be declared
                                          under an `any` or `all` statement. A direct
                                          list of conditions (without `any` or `all`
                                          statements) is also supported for backwards
                                          compatibility but will be deprecated in
                                          the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
                                        x-kubernetes-preserve-unknown-fields: true
                                    type: object
                                  elementScope:
                                    description: ElementScope specifies whether to
                                      use the current list element as the scope for
                                      validation. Defaults to "true" if not specified.
                                      When set to "false", "request.object" is used
                                      as the validation scope within the foreach block
                                      to allow referencing other elements in the subtree.
                                    type: boolean
                                  foreach:
                                    description: Foreach declares a nested foreach
                                      iterator
                                    x-kubernetes-preserve-unknown-fields: true
                                  list:
                                    description: List specifies a JMESPath expression
                                      that results in one or more elements to which
                                      the validation logic is applied.
                                    type: string
                                  pattern:
                                    description: Pattern specifies an overlay-style
                                      pattern used to check resources.
                                    x-kubernetes-preserve-unknown-fields: true
                                  preconditions:
                                    description: 'AnyAllConditions are used to determine
                                      if a policy rule should be applied by evaluating
                                      a set of conditions. The declaration can contain
                                      nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
                                    properties:
                                      all:
                                        description: AllConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, all of the conditions
                                          need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: AnyConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, at least one of
                                          the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              type: array
                            manifests:
                              description: Manifest specifies conditions for manifest
                                verification
                              properties:
                                annotationDomain:
                                  description: AnnotationDomain is custom domain of
                                    annotation for message and signature. Default
                                    is "cosign.sigstore.dev".
                                  type: string
                                attestors:
                                  description: Attestors specified the required attestors
                                    (i.e. authorities)
                                  items:
                                    properties:
                                      count:
                                        description: Count specifies the required
                                          number of entries that must match. If the
                                          count is null, all entries must match (a
                                          logical AND). If the count is 1, at least
                                          one entry must match (a logical OR). If
                                          the count contains a value N, then N must
                                          be less than or equal to the size of entries,
                                          and at least N entries must match.
                                        minimum: 1
                                        type: integer
                                      entries:
                                        description: Entries contains the available
                                          attestors. An attestor can be a static key,
                                          attributes for keyless verification, or
                                          a nested attestor declaration.
                                        items:
                                          properties:
                                            annotations:
                                              additionalProperties:
                                                type: string
                                              description: Annotations are used for
                                                image verification. Every specified
                                                key-value pair must exist and match
                                                in the verified payload. The payload
                                                may contain other key-value pairs.
                                              type: object
                                            attestor:
                                              description: Attestor is a nested AttestorSet
                                                used to specify a more complex set
                                                of match authorities
                                              x-kubernetes-preserve-unknown-fields: true
                                            certificates:
                                              description: Certificates specifies
                                                one or more certificates
                                              properties:
                                                cert:
                                                  description: Certificate is an optional
                                                    PEM encoded public certificate.
                                                  type: string
                                                certChain:
                                                  description: CertificateChain is
                                                    an optional PEM encoded set of
                                                    certificates used to verify
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    Rekor is not checked. If an empty
                                                    object is provided the public
                                                    instance of Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                              type: object
                                            keyless:
                                              description: Keyless is a set of attribute
                                                used to verify a Sigstore keyless
                                                attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                              properties:
                                                additionalExtensions:
                                                  additionalProperties:
                                                    type: string
                                                  description: AdditionalExtensions
                                                    are certificate-extensions used
                                                    for keyless signing.
                                                  type: object
                                                issuer:
                                                  description: Issuer is the certificate
                                                    issuer used for keyless signing.
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    Rekor is not checked and a root
                                                    certificate chain is expected
                                                    instead. If an empty object is
                                                    provided the public instance of
                                                    Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                                roots:
                                                  description: Roots is an optional
                                                    set of PEM encoded trusted root
                                                    certificates. If not provided,
                                                    the system roots are used.
                                                  type: string
                                                subject:
                                                  description: Subject is the verified
                                                    identity used for keyless signing,
                                                    for example the email address
                                                  type: string
                                              type: object
                                            keys:
                                              description: Keys specifies one or more
                                                public keys
                                              properties:
                                                kms:
                                                  description: 'KMS provides the URI
                                                    to the public key stored in a
                                                    Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                                  type: string
                                                publicKeys:
                                                  description: Keys is a set of X.509
                                                    public keys used to verify image
                                                    signatures. The keys can be directly
                                                    specified or can be a variable
                                                    reference to a key specified in
                                                    a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
                                                    or reference a standard Kubernetes
                                                    Secret elsewhere in the cluster
                                                    by specifying it in the format
                                                    "k8s://<namespace>/<secret_name>".
                                                    The named Secret must specify
                                                    a key `cosign.pub` containing
                                                    the public key used for verification,
                                                    (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                    When multiple keys are specified
                                                    each key is processed as a separate
                                                    staticKey entry (.attestors[*].entries.keys)
                                                    within the set of attestors and
                                                    the count is applied across the
                                                    keys.
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    or an empty object is provided,
                                                    the public instance of Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                                secret:
                                                  description: Reference to a Secret
                                                    resource that contains a public
                                                    key
                                                  properties:
                                                    name:
                                                      description: Name of the secret.
                                                        The provided secret must contain
                                                        a key named cosign.pub.
                                                      type: string
                                                    namespace:
                                                      description: Namespace name
                                                        where the Secret exists.
                                                      type: string
                                                  required:
                                                  - name
                                                  - namespace
                                                  type: object
                                                signatureAlgorithm:
                                                  default: sha256
                                                  description: Specify signature algorithm
                                                    for public keys. Supported values
                                                    are sha256 and sha512
                                                  type: string
                                              type: object
                                            repository:
                                              description: Repository is an optional
                                                alternate OCI repository to use for
                                                signatures and attestations that match
                                                this rule. If specified Repository
                                                will override other OCI image repository
                                                locations for this Attestor.
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                dryRun:
                                  description: DryRun configuration
                                  properties:
                                    enable:
                                      type: boolean
                                    namespace:
                                      type: string
                                  type: object
                                ignoreFields:
                                  description: Fields which will be ignored while
                                    comparing manifests.
                                  items:
                                    properties:
                                      fields:
                                        items:
                                          type: string
                                        type: array
                                      objects:
                                        items:
                                          properties:
                                            group:
                                              type: string
                                            kind:
                                              type: string
                                            name:
                                              type: string
                                            namespace:
                                              type: string
                                            version:
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                repository:
                                  description: Repository is an optional alternate
                                    OCI repository to use for resource bundle reference.
                                    The repository can be overridden per Attestor
                                    or Attestation.
                                  type: string
                              type: object
                            message:
                              description: Message specifies a custom message to be
                                displayed on failure.
                              type: string
                            pattern:
                              description: Pattern specifies an overlay-style pattern
                                used to check resources.
                              x-kubernetes-preserve-unknown-fields: true
                            podSecurity:
                              description: PodSecurity applies exemptions for Kubernetes
                                Pod Security admission by specifying exclusions for
                                Pod Security Standards controls.
                              properties:
                                exclude:
                                  description: Exclude specifies the Pod Security
                                    Standard controls to be excluded.
                                  items:
                                    description: PodSecurityStandard specifies the
                                      Pod Security Standard controls to be excluded.
                                    properties:
                                      controlName:
                                        description: 'ControlName specifies the name
                                          of the Pod Security Standard control. See:
                                          https://kubernetes.io/docs/concepts/security/pod-security-standards/'
                                        enum:
                                        - HostProcess
                                        - Host Namespaces
                                        - Privileged Containers
                                        - Capabilities
                                        - HostPath Volumes
                                        - Host Ports
                                        - AppArmor
                                        - SELinux
                                        - /proc Mount Type
                                        - Seccomp
                                        - Sysctls
                                        - Volume Types
                                        - Privilege Escalation
                                        - Running as Non-root
                                        - Running as Non-root user
                                        type: string
                                      images:
                                        description: 'Images selects matching containers
                                          and applies the container level PSS. Each
                                          image is the image name consisting of the
                                          registry address, repository, image, and
                                          tag. Empty list matches no containers, PSS
                                          checks are applied at the pod level only.
                                          Wildcards (''*'' and ''?'') are allowed.
                                          See: https://kubernetes.io/docs/concepts/containers/images.'
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - controlName
                                    type: object
                                  type: array
                                level:
                                  description: Level defines the Pod Security Standard
                                    level to be applied to workloads. Allowed values
                                    are privileged, baseline, and restricted.
                                  enum:
                                  - privileged
                                  - baseline
                                  - restricted
                                  type: string
                                version:
                                  description: Version defines the Pod Security Standard
                                    versions that Kubernetes supports. Allowed values
                                    are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
                                    v1.25, v1.26, latest. Defaults to latest.
                                  enum:
                                  - v1.19
                                  - v1.20
                                  - v1.21
                                  - v1.22
                                  - v1.23
                                  - v1.24
                                  - v1.25
                                  - v1.26
                                  - latest
                                  type: string
                              type: object
                          type: object
                        verifyImages:
                          description: VerifyImages is used to verify image signatures
                            and mutate them to add a digest
                          items:
                            description: ImageVerification validates that images that
                              match the specified pattern are signed with the supplied
                              public key. Once the image is verified it is mutated
                              to include the SHA digest retrieved during the registration.
                            properties:
                              additionalExtensions:
                                additionalProperties:
                                  type: string
                                description: AdditionalExtensions are certificate-extensions
                                  used for keyless signing. Deprecated.
                                type: object
                              annotations:
                                additionalProperties:
                                  type: string
                                description: Annotations are used for image verification.
                                  Every specified key-value pair must exist and match
                                  in the verified payload. The payload may contain
                                  other key-value pairs. Deprecated. Use annotations
                                  per Attestor instead.
                                type: object
                              attestations:
                                description: Attestations are optional checks for
                                  signed in-toto Statements used to verify the image.
                                  See https://github.com/in-toto/attestation. Kyverno
                                  fetches signed attestations from the OCI registry
                                  and decodes them into a list of Statement declarations.
                                items:
                                  description: Attestation are checks for signed in-toto
                                    Statements that are used to verify the image.
                                    See https://github.com/in-toto/attestation. Kyverno
                                    fetches signed attestations from the OCI registry
                                    and decodes them into a list of Statements.
                                  properties:
                                    attestors:
                                      description: Attestors specify the required
                                        attestors (i.e. authorities)
                                      items:
                                        properties:
                                          count:
                                            description: Count specifies the required
                                              number of entries that must match. If
                                              the count is null, all entries must
                                              match (a logical AND). If the count
                                              is 1, at least one entry must match
                                              (a logical OR). If the count contains
                                              a value N, then N must be less than
                                              or equal to the size of entries, and
                                              at least N entries must match.
                                            minimum: 1
                                            type: integer
                                          entries:
                                            description: Entries contains the available
                                              attestors. An attestor can be a static
                                              key, attributes for keyless verification,
                                              or a nested attestor declaration.
                                            items:
                                              properties:
                                                annotations:
                                                  additionalProperties:
                                                    type: string
                                                  description: Annotations are used
                                                    for image verification. Every
                                                    specified key-value pair must
                                                    exist and match in the verified
                                                    payload. The payload may contain
                                                    other key-value pairs.
                                                  type: object
                                                attestor:
                                                  description: Attestor is a nested
                                                    AttestorSet used to specify a
                                                    more complex set of match authorities
                                                  x-kubernetes-preserve-unknown-fields: true
                                                certificates:
                                                  description: Certificates specifies
                                                    one or more certificates
                                                  properties:
                                                    cert:
                                                      description: Certificate is
                                                        an optional PEM encoded public
                                                        certificate.
                                                      type: string
                                                    certChain:
                                                      description: CertificateChain
                                                        is an optional PEM encoded
                                                        set of certificates used to
                                                        verify
                                                      type: string
                                                    rekor:
                                                      description: Rekor provides
                                                        configuration for the Rekor
                                                        transparency log service.
                                                        If the value is nil, Rekor
                                                        is not checked. If an empty
                                                        object is provided the public
                                                        instance of Rekor (https://rekor.sigstore.dev)
                                                        is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: IgnoreSCT requires
                                                            that a certificate contain
                                                            an embedded SCT during
                                                            verification. An SCT is
                                                            proof of inclusion in
                                                            a certificate transparency
                                                            log.
                                                          type: boolean
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skip tlog verification
                                                          type: boolean
                                                        pubkey:
                                                          description: RekorPubKey
                                                            is an optional PEM encoded
                                                            public key to use for
                                                            a custom Rekor. If set,
                                                            is used to validate signatures
                                                            on log entries from Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            log https://rekor.sigstore.dev.
                                                          type: string
                                                      required:
                                                      - url
                                                      type: object
                                                  type: object
                                                keyless:
                                                  description: Keyless is a set of
                                                    attribute used to verify a Sigstore
                                                    keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                                  properties:
                                                    additionalExtensions:
                                                      additionalProperties:
                                                        type: string
                                                      description: AdditionalExtensions
                                                        are certificate-extensions
                                                        used for keyless signing.
                                                      type: object
                                                    issuer:
                                                      description: Issuer is the certificate
                                                        issuer used for keyless signing.
                                                      type: string
                                                    rekor:
                                                      description: Rekor provides
                                                        configuration for the Rekor
                                                        transparency log service.
                                                        If the value is nil, Rekor
                                                        is not checked and a root
                                                        certificate chain is expected
                                                        instead. If an empty object
                                                        is provided the public instance
                                                        of Rekor (https://rekor.sigstore.dev)
                                                        is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: IgnoreSCT requires
                                                            that a certificate contain
                                                            an embedded SCT during
                                                            verification. An SCT is
                                                            proof of inclusion in
                                                            a certificate transparency
                                                            log.
                                                          type: boolean
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skip tlog verification
                                                          type: boolean
                                                        pubkey:
                                                          description: RekorPubKey
                                                            is an optional PEM encoded
                                                            public key to use for
                                                            a custom Rekor. If set,
                                                            is used to validate signatures
                                                            on log entries from Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            log https://rekor.sigstore.dev.
                                                          type: string
                                                      required:
                                                      - url
                                                      type: object
                                                    roots:
                                                      description: Roots is an optional
                                                        set of PEM encoded trusted
                                                        root certificates. If not
                                                        provided, the system roots
                                                        are used.
                                                      type: string
                                                    subject:
                                                      description: Subject is the
                                                        verified identity used for
                                                        keyless signing, for example
                                                        the email address
                                                      type: string
                                                  type: object
                                                keys:
                                                  description: Keys specifies one
                                                    or more public keys
                                                  properties:
                                                    kms:
                                                      description: 'KMS provides the
                                                        URI to the public key stored
                                                        in a Key Management System.
                                                        See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                                      type: string
                                                    publicKeys:
                                                      description: Keys is a set of
                                                        X.509 public keys used to
                                                        verify image signatures. The
                                                        keys can be directly specified
                                                        or can be a variable reference
                                                        to a key specified in a ConfigMap
                                                        (see https://kyverno.io/docs/writing-policies/variables/),
                                                        or reference a standard Kubernetes
                                                        Secret elsewhere in the cluster
                                                        by specifying it in the format
                                                        "k8s://<namespace>/<secret_name>".
                                                        The named Secret must specify
                                                        a key `cosign.pub` containing
                                                        the public key used for verification,
                                                        (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                        When multiple keys are specified
                                                        each key is processed as a
                                                        separate staticKey entry (.attestors[*].entries.keys)
                                                        within the set of attestors
                                                        and the count is applied across
                                                        the keys.
                                                      type: string
                                                    rekor:
                                                      description: Rekor provides
                                                        configuration for the Rekor
                                                        transparency log service.
                                                        If the value is nil, or an
                                                        empty object is provided,
                                                        the public instance of Rekor
                                                        (https://rekor.sigstore.dev)
                                                        is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: IgnoreSCT requires
                                                            that a certificate contain
                                                            an embedded SCT during
                                                            verification. An SCT is
                                                            proof of inclusion in
                                                            a certificate transparency
                                                            log.
                                                          type: boolean
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skip tlog verification
                                                          type: boolean
                                                        pubkey:
                                                          description: RekorPubKey
                                                            is an optional PEM encoded
                                                            public key to use for
                                                            a custom Rekor. If set,
                                                            is used to validate signatures
                                                            on log entries from Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            log https://rekor.sigstore.dev.
                                                          type: string
                                                      required:
                                                      - url
                                                      type: object
                                                    secret:
                                                      description: Reference to a
                                                        Secret resource that contains
                                                        a public key
                                                      properties:
                                                        name:
                                                          description: Name of the
                                                            secret. The provided secret
                                                            must contain a key named
                                                            cosign.pub.
                                                          type: string
                                                        namespace:
                                                          description: Namespace name
                                                            where the Secret exists.
                                                          type: string
                                                      required:
                                                      - name
                                                      - namespace
                                                      type: object
                                                    signatureAlgorithm:
                                                      default: sha256
                                                      description: Specify signature
                                                        algorithm for public keys.
                                                        Supported values are sha256
                                                        and sha512
                                                      type: string
                                                  type: object
                                                repository:
                                                  description: Repository is an optional
                                                    alternate OCI repository to use
                                                    for signatures and attestations
                                                    that match this rule. If specified
                                                    Repository will override other
                                                    OCI image repository locations
                                                    for this Attestor.
                                                  type: string
                                              type: object
                                            type: array
                                        type: object
                                      type: array
                                    conditions:
                                      description: Conditions are used to verify attributes
                                        within a Predicate. If no Conditions are specified
                                        the attestation check is satisfied as long
                                        there are predicates that match the predicate
                                        type.
                                      items:
                                        description: AnyAllConditions consists of
                                          conditions wrapped denoting a logical criteria
                                          to be fulfilled. AnyConditions get fulfilled
                                          when at least one of its sub-conditions
                                          passes. AllConditions get fulfilled only
                                          when all of its sub-conditions pass.
                                        properties:
                                          all:
                                            description: AllConditions enable variable-based
                                              conditional rule execution. This is
                                              useful for finer control of when an
                                              rule is applied. A condition can reference
                                              object data using JMESPath notation.
                                              Here, all of the conditions need to
                                              pass
                                            items:
                                              description: Condition defines variable-based
                                                conditional criteria for rule execution.
                                              properties:
                                                key:
                                                  description: Key is the context
                                                    entry (using JMESPath) for conditional
                                                    rule evaluation.
                                                  x-kubernetes-preserve-unknown-fields: true
                                                message:
                                                  description: Message is an optional
                                                    display message
                                                  type: string
                                                operator:
                                                  description: 'Operator is the conditional
                                                    operation to perform. Valid operators
                                                    are: Equals, NotEquals, In, AnyIn,
                                                    AllIn, NotIn, AnyNotIn, AllNotIn,
                                                    GreaterThanOrEquals, GreaterThan,
                                                    LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                    DurationGreaterThan, DurationLessThanOrEquals,
                                                    DurationLessThan'
                                                  enum:
                                                  - Equals
                                                  - NotEquals
                                                  - In
                                                  - AnyIn
                                                  - AllIn
                                                  - NotIn
                                                  - AnyNotIn
                                                  - AllNotIn
                                                  - GreaterThanOrEquals
                                                  - GreaterThan
                                                  - LessThanOrEquals
                                                  - LessThan
                                                  - DurationGreaterThanOrEquals
                                                  - DurationGreaterThan
                                                  - DurationLessThanOrEquals
                                                  - DurationLessThan
                                                  type: string
                                                value:
                                                  description: Value is the conditional
                                                    value, or set of values. The values
                                                    can be fixed set or can be variables
                                                    declared using JMESPath.
                                                  x-kubernetes-preserve-unknown-fields: true
                                              type: object
                                            type: array
                                          any:
                                            description: AnyConditions enable variable-based
                                              conditional rule execution. This is
                                              useful for finer control of when an
                                              rule is applied. A condition can reference
                                              object data using JMESPath notation.
                                              Here, at least one of the conditions
                                              need to pass
                                            items:
                                              description: Condition defines variable-based
                                                conditional criteria for rule execution.
                                              properties:
                                                key:
                                                  description: Key is the context
                                                    entry (using JMESPath) for conditional
                                                    rule evaluation.
                                                  x-kubernetes-preserve-unknown-fields: true
                                                message:
                                                  description: Message is an optional
                                                    display message
                                                  type: string
                                                operator:
                                                  description: 'Operator is the conditional
                                                    operation to perform. Valid operators
                                                    are: Equals, NotEquals, In, AnyIn,
                                                    AllIn, NotIn, AnyNotIn, AllNotIn,
                                                    GreaterThanOrEquals, GreaterThan,
                                                    LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                    DurationGreaterThan, DurationLessThanOrEquals,
                                                    DurationLessThan'
                                                  enum:
                                                  - Equals
                                                  - NotEquals
                                                  - In
                                                  - AnyIn
                                                  - AllIn
                                                  - NotIn
                                                  - AnyNotIn
                                                  - AllNotIn
                                                  - GreaterThanOrEquals
                                                  - GreaterThan
                                                  - LessThanOrEquals
                                                  - LessThan
                                                  - DurationGreaterThanOrEquals
                                                  - DurationGreaterThan
                                                  - DurationLessThanOrEquals
                                                  - DurationLessThan
                                                  type: string
                                                value:
                                                  description: Value is the conditional
                                                    value, or set of values. The values
                                                    can be fixed set or can be variables
                                                    declared using JMESPath.
                                                  x-kubernetes-preserve-unknown-fields: true
                                              type: object
                                            type: array
                                        type: object
                                      type: array
                                    predicateType:
                                      description: PredicateType defines the type
                                        of Predicate contained within the Statement.
                                        Deprecated in favour of 'Type', to be removed
                                        soon
                                      type: string
                                    type:
                                      description: Type defines the type of attestation
                                        contained within the Statement.
                                      type: string
                                  type: object
                                type: array
                              attestors:
                                description: Attestors specified the required attestors
                                  (i.e. authorities)
                                items:
                                  properties:
                                    count:
                                      description: Count specifies the required number
                                        of entries that must match. If the count is
                                        null, all entries must match (a logical AND).
                                        If the count is 1, at least one entry must
                                        match (a logical OR). If the count contains
                                        a value N, then N must be less than or equal
                                        to the size of entries, and at least N entries
                                        must match.
                                      minimum: 1
                                      type: integer
                                    entries:
                                      description: Entries contains the available
                                        attestors. An attestor can be a static key,
                                        attributes for keyless verification, or a
                                        nested attestor declaration.
                                      items:
                                        properties:
                                          annotations:
                                            additionalProperties:
                                              type: string
                                            description: Annotations are used for
                                              image verification. Every specified
                                              key-value pair must exist and match
                                              in the verified payload. The payload
                                              may contain other key-value pairs.
                                            type: object
                                          attestor:
                                            description: Attestor is a nested AttestorSet
                                              used to specify a more complex set of
                                              match authorities
                                            x-kubernetes-preserve-unknown-fields: true
                                          certificates:
                                            description: Certificates specifies one
                                              or more certificates
                                            properties:
                                              cert:
                                                description: Certificate is an optional
                                                  PEM encoded public certificate.
                                                type: string
                                              certChain:
                                                description: CertificateChain is an
                                                  optional PEM encoded set of certificates
                                                  used to verify
                                                type: string
                                              rekor:
                                                description: Rekor provides configuration
                                                  for the Rekor transparency log service.
                                                  If the value is nil, Rekor is not
                                                  checked. If an empty object is provided
                                                  the public instance of Rekor (https://rekor.sigstore.dev)
                                                  is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: IgnoreSCT requires
                                                      that a certificate contain an
                                                      embedded SCT during verification.
                                                      An SCT is proof of inclusion
                                                      in a certificate transparency
                                                      log.
                                                    type: boolean
                                                  ignoreTlog:
                                                    description: IgnoreTlog skip tlog
                                                      verification
                                                    type: boolean
                                                  pubkey:
                                                    description: RekorPubKey is an
                                                      optional PEM encoded public
                                                      key to use for a custom Rekor.
                                                      If set, is used to validate
                                                      signatures on log entries from
                                                      Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public log https://rekor.sigstore.dev.
                                                    type: string
                                                required:
                                                - url
                                                type: object
                                            type: object
                                          keyless:
                                            description: Keyless is a set of attribute
                                              used to verify a Sigstore keyless attestor.
                                              See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                            properties:
                                              additionalExtensions:
                                                additionalProperties:
                                                  type: string
                                                description: AdditionalExtensions
                                                  are certificate-extensions used
                                                  for keyless signing.
                                                type: object
                                              issuer:
                                                description: Issuer is the certificate
                                                  issuer used for keyless signing.
                                                type: string
                                              rekor:
                                                description: Rekor provides configuration
                                                  for the Rekor transparency log service.
                                                  If the value is nil, Rekor is not
                                                  checked and a root certificate chain
                                                  is expected instead. If an empty
                                                  object is provided the public instance
                                                  of Rekor (https://rekor.sigstore.dev)
                                                  is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: IgnoreSCT requires
                                                      that a certificate contain an
                                                      embedded SCT during verification.
                                                      An SCT is proof of inclusion
                                                      in a certificate transparency
                                                      log.
                                                    type: boolean
                                                  ignoreTlog:
                                                    description: IgnoreTlog skip tlog
                                                      verification
                                                    type: boolean
                                                  pubkey:
                                                    description: RekorPubKey is an
                                                      optional PEM encoded public
                                                      key to use for a custom Rekor.
                                                      If set, is used to validate
                                                      signatures on log entries from
                                                      Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public log https://rekor.sigstore.dev.
                                                    type: string
                                                required:
                                                - url
                                                type: object
                                              roots:
                                                description: Roots is an optional
                                                  set of PEM encoded trusted root
                                                  certificates. If not provided, the
                                                  system roots are used.
                                                type: string
                                              subject:
                                                description: Subject is the verified
                                                  identity used for keyless signing,
                                                  for example the email address
                                                type: string
                                            type: object
                                          keys:
                                            description: Keys specifies one or more
                                              public keys
                                            properties:
                                              kms:
                                                description: 'KMS provides the URI
                                                  to the public key stored in a Key
                                                  Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                                type: string
                                              publicKeys:
                                                description: Keys is a set of X.509
                                                  public keys used to verify image
                                                  signatures. The keys can be directly
                                                  specified or can be a variable reference
                                                  to a key specified in a ConfigMap
                                                  (see https://kyverno.io/docs/writing-policies/variables/),
                                                  or reference a standard Kubernetes
                                                  Secret elsewhere in the cluster
                                                  by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                  The named Secret must specify a
                                                  key `cosign.pub` containing the
                                                  public key used for verification,
                                                  (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                  When multiple keys are specified
                                                  each key is processed as a separate
                                                  staticKey entry (.attestors[*].entries.keys)
                                                  within the set of attestors and
                                                  the count is applied across the
                                                  keys.
                                                type: string
                                              rekor:
                                                description: Rekor provides configuration
                                                  for the Rekor transparency log service.
                                                  If the value is nil, or an empty
                                                  object is provided, the public instance
                                                  of Rekor (https://rekor.sigstore.dev)
                                                  is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: IgnoreSCT requires
                                                      that a certificate contain an
                                                      embedded SCT during verification.
                                                      An SCT is proof of inclusion
                                                      in a certificate transparency
                                                      log.
                                                    type: boolean
                                                  ignoreTlog:
                                                    description: IgnoreTlog skip tlog
                                                      verification
                                                    type: boolean
                                                  pubkey:
                                                    description: RekorPubKey is an
                                                      optional PEM encoded public
                                                      key to use for a custom Rekor.
                                                      If set, is used to validate
                                                      signatures on log entries from
                                                      Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public log https://rekor.sigstore.dev.
                                                    type: string
                                                required:
                                                - url
                                                type: object
                                              secret:
                                                description: Reference to a Secret
                                                  resource that contains a public
                                                  key
                                                properties:
                                                  name:
                                                    description: Name of the secret.
                                                      The provided secret must contain
                                                      a key named cosign.pub.
                                                    type: string
                                                  namespace:
                                                    description: Namespace name where
                                                      the Secret exists.
                                                    type: string
                                                required:
                                                - name
                                                - namespace
                                                type: object
                                              signatureAlgorithm:
                                                default: sha256
                                                description: Specify signature algorithm
                                                  for public keys. Supported values
                                                  are sha256 and sha512
                                                type: string
                                            type: object
                                          repository:
                                            description: Repository is an optional
                                              alternate OCI repository to use for
                                              signatures and attestations that match
                                              this rule. If specified Repository will
                                              override other OCI image repository
                                              locations for this Attestor.
                                            type: string
                                        type: object
                                      type: array
                                  type: object
                                type: array
                              image:
                                description: 'Image is the image name consisting of
                                  the registry address, repository, image, and tag.
                                  Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                                  Deprecated. Use ImageReferences instead.'
                                type: string
                              imageReferences:
                                description: 'ImageReferences is a list of matching
                                  image reference patterns. At least one pattern in
                                  the list must match the image for the rule to apply.
                                  Each image reference consists of a registry address
                                  (defaults to docker.io), repository, image, and
                                  tag (defaults to latest). Wildcards (''*'' and ''?'')
                                  are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
                                items:
                                  type: string
                                type: array
                              imageRegistryCredentials:
                                description: ImageRegistryCredentials provides credentials
                                  that will be used for authentication with registry
                                properties:
                                  allowInsecureRegistry:
                                    description: AllowInsecureRegistry allows insecure
                                      access to a registry
                                    type: boolean
                                  providers:
                                    description: 'Providers specifies a list of OCI
                                      Registry names, whose authentication providers
                                      are provided It can be of one of these values:
                                      AWS, ACR, GCP, GHCR'
                                    items:
                                      description: ImageRegistryCredentialsProvidersType
                                        provides the list of credential providers
                                        required.
                                      enum:
                                      - default
                                      - amazon
                                      - azure
                                      - google
                                      - github
                                      type: string
                                    type: array
                                  secrets:
                                    description: Secrets specifies a list of secrets
                                      that are provided for credentials Secrets must
                                      live in the Kyverno namespace
                                    items:
                                      type: string
                                    type: array
                                type: object
                              issuer:
                                description: Issuer is the certificate issuer used
                                  for keyless signing. Deprecated. Use KeylessAttestor
                                  instead.
                                type: string
                              key:
                                description: Key is the PEM encoded public key that
                                  the image or attestation is signed with. Deprecated.
                                  Use StaticKeyAttestor instead.
                                type: string
                              mutateDigest:
                                default: true
                                description: MutateDigest enables replacement of image
                                  tags with digests. Defaults to true.
                                type: boolean
                              repository:
                                description: Repository is an optional alternate OCI
                                  repository to use for image signatures and attestations
                                  that match this rule. If specified Repository will
                                  override the default OCI image repository configured
                                  for the installation. The repository can also be
                                  overridden per Attestor or Attestation.
                                type: string
                              required:
                                default: true
                                description: Required validates that images are verified
                                  i.e. have matched passed a signature or attestation
                                  check.
                                type: boolean
                              roots:
                                description: Roots is the PEM encoded Root certificate
                                  chain used for keyless signing Deprecated. Use KeylessAttestor
                                  instead.
                                type: string
                              subject:
                                description: Subject is the identity used for keyless
                                  signing, for example an email address Deprecated.
                                  Use KeylessAttestor instead.
                                type: string
                              type:
                                description: Type specifies the method of signature
                                  validation. The allowed options are Cosign and Notary.
                                  By default Cosign is used if a type is not specified.
                                enum:
                                - Cosign
                                - Notary
                                type: string
                              useCache:
                                default: true
                                description: UseCache enables caching of image verify
                                  responses for this rule
                                type: boolean
                              verifyDigest:
                                default: true
                                description: VerifyDigest validates that images have
                                  a digest.
                                type: boolean
                            type: object
                          type: array
                      required:
                      - name
                      type: object
                    type: array
                type: object
              conditions:
                description: Conditions is a list of conditions that apply to the
                  policy
                items:
                  description: "Condition contains details for one aspect of the current
                    state of this API Resource. --- This struct is intended for direct
                    use as an array at the field path .status.conditions.  For example,
                    \n type FooStatus struct{ // Represents the observations of a
                    foo's current state. // Known .status.conditions.type are: \"Available\",
                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
                  properties:
                    lastTransitionTime:
                      description: lastTransitionTime is the last time the condition
                        transitioned from one status to another. This should be when
                        the underlying condition changed.  If that is not known, then
                        using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: message is a human readable message indicating
                        details about the transition. This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
                      description: observedGeneration represents the .metadata.generation
                        that the condition was set based upon. For instance, if .metadata.generation
                        is currently 12, but the .status.conditions[x].observedGeneration
                        is 9, the condition is out of date with respect to the current
                        state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
                      description: reason contains a programmatic identifier indicating
                        the reason for the condition's last transition. Producers
                        of specific condition types may define expected values and
                        meanings for this field, and whether the values are considered
                        a guaranteed API. The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
                      enum:
                      - "True"
                      - "False"
                      - Unknown
                      type: string
                    type:
                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
                        --- Many .condition.type values are consistent across resources
                        like Available, but because arbitrary conditions can be useful
                        (see .node.status.conditions), the ability to deconflict is
                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
                  required:
                  - lastTransitionTime
                  - message
                  - reason
                  - status
                  - type
                  type: object
                type: array
              ready:
                description: Ready indicates if the policy is ready to serve the admission
                  request. Deprecated in favor of Conditions
                type: boolean
              rulecount:
                description: RuleCount describes total number of rules in a policy
                properties:
                  generate:
                    description: Count for generate rules in policy
                    type: integer
                  mutate:
                    description: Count for mutate rules in policy
                    type: integer
                  validate:
                    description: Count for validate rules in policy
                    type: integer
                  verifyimages:
                    description: Count for verify image rules in policy
                    type: integer
                required:
                - generate
                - mutate
                - validate
                - verifyimages
                type: object
            required:
            - ready
            type: object
        required:
        - spec
        type: object
    served: true
    storage: false
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  annotations:
    controller-gen.kubebuilder.io/version: v0.12.0
  name: policies.kyverno.io
spec:
  group: kyverno.io
  names:
    categories:
    - kyverno
    kind: Policy
    listKind: PolicyList
    plural: policies
    shortNames:
    - pol
    singular: policy
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - jsonPath: .spec.admission
      name: ADMISSION
      type: boolean
    - jsonPath: .spec.background
      name: BACKGROUND
      type: boolean
    - jsonPath: .spec.validationFailureAction
      name: VALIDATE ACTION
      type: string
    - jsonPath: .status.conditions[?(@.type == "Ready")].status
      name: READY
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: AGE
      type: date
    - jsonPath: .spec.failurePolicy
      name: FAILURE POLICY
      priority: 1
      type: string
    - jsonPath: .status.rulecount.validate
      name: VALIDATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.mutate
      name: MUTATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.generate
      name: GENERATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.verifyimages
      name: VERIFY IMAGES
      priority: 1
      type: integer
    - jsonPath: .status.conditions[?(@.type == "Ready")].message
      name: MESSAGE
      type: string
    name: v1
    schema:
      openAPIV3Schema:
        description: 'Policy declares validation, mutation, and generation behaviors
          for matching resources. See: https://kyverno.io/docs/writing-policies/ for
          more information.'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: Spec defines policy behaviors and contains one or more rules.
            properties:
              admission:
                default: true
                description: Admission controls if rules are applied during admission.
                  Optional. Default value is "true".
                type: boolean
              applyRules:
                description: ApplyRules controls how rules in a policy are applied.
                  Rule are processed in the order of declaration. When set to `One`
                  processing stops after a rule has been applied i.e. the rule matches
                  and results in a pass, fail, or error. When set to `All` all rules
                  in the policy are processed. The default is `All`.
                enum:
                - All
                - One
                type: string
              background:
                default: true
                description: Background controls if rules are applied to existing
                  resources during a background scan. Optional. Default value is "true".
                  The value must be set to "false" if the policy rule uses variables
                  that are only available in the admission review request (e.g. user
                  name).
                type: boolean
              failurePolicy:
                description: FailurePolicy defines how unexpected policy errors and
                  webhook response timeout errors are handled. Rules within the same
                  policy share the same failure behavior. This field should not be
                  accessed directly, instead `GetFailurePolicy()` should be used.
                  Allowed values are Ignore or Fail. Defaults to Fail.
                enum:
                - Ignore
                - Fail
                type: string
              generateExisting:
                description: GenerateExisting controls whether to trigger generate
                  rule in existing resources If is set to "true" generate rule will
                  be triggered and applied to existing matched resources. Defaults
                  to "false" if not specified.
                type: boolean
              generateExistingOnPolicyUpdate:
                description: Deprecated, use generateExisting instead
                type: boolean
              mutateExistingOnPolicyUpdate:
                description: MutateExistingOnPolicyUpdate controls if a mutateExisting
                  policy is applied on policy events. Default value is "false".
                type: boolean
              rules:
                description: Rules is a list of Rule instances. A Policy contains
                  multiple rules and each rule can validate, mutate, or generate resources.
                items:
                  description: Rule defines a validation, mutation, or generation
                    control for matching resources. Each rules contains a match declaration
                    to select resources, and an optional exclude declaration to specify
                    which resources to exclude.
                  properties:
                    celPreconditions:
                      description: CELPreconditions are used to determine if a policy
                        rule should be applied by evaluating a set of CEL conditions.
                        It can only be used with the validate.cel subrule
                      items:
                        description: MatchCondition represents a condition which must
                          by fulfilled for a request to be sent to a webhook.
                        properties:
                          expression:
                            description: "Expression represents the expression which
                              will be evaluated by CEL. Must evaluate to bool. CEL
                              expressions have access to the contents of the AdmissionRequest
                              and Authorizer, organized into CEL variables: \n 'object'
                              - The object from the incoming request. The value is
                              null for DELETE requests. 'oldObject' - The existing
                              object. The value is null for CREATE requests. 'request'
                              - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
                              'authorizer' - A CEL Authorizer. May be used to perform
                              authorization checks for the principal (user or service
                              account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                              'authorizer.requestResource' - A CEL ResourceCheck constructed
                              from the 'authorizer' and configured with the request
                              resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
                              \n Required."
                            type: string
                          name:
                            description: "Name is an identifier for this match condition,
                              used for strategic merging of MatchConditions, as well
                              as providing an identifier for logging purposes. A good
                              name should be descriptive of the associated expression.
                              Name must be a qualified name consisting of alphanumeric
                              characters, '-', '_' or '.', and must start and end
                              with an alphanumeric character (e.g. 'MyName',  or 'my.name',
                              \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
                              with an optional DNS subdomain prefix and '/' (e.g.
                              'example.com/MyName') \n Required."
                            type: string
                        required:
                        - expression
                        - name
                        type: object
                      type: array
                    context:
                      description: Context defines variables and data sources that
                        can be used during rule execution.
                      items:
                        description: ContextEntry adds variables and data sources
                          to a rule Context. Either a ConfigMap reference or a APILookup
                          must be provided.
                        properties:
                          apiCall:
                            description: APICall is an HTTP request to the Kubernetes
                              API server, or other JSON web service. The data returned
                              is stored in the context with the name for the context
                              entry.
                            properties:
                              data:
                                description: Data specifies the POST data sent to
                                  the server.
                                items:
                                  description: RequestData contains the HTTP POST
                                    data
                                  properties:
                                    key:
                                      description: Key is a unique identifier for
                                        the data value
                                      type: string
                                    value:
                                      description: Value is the data value
                                      x-kubernetes-preserve-unknown-fields: true
                                  required:
                                  - key
                                  - value
                                  type: object
                                type: array
                              jmesPath:
                                description: JMESPath is an optional JSON Match Expression
                                  that can be used to transform the JSON response
                                  returned from the server. For example a JMESPath
                                  of "items | length(@)" applied to the API server
                                  response for the URLPath "/apis/apps/v1/deployments"
                                  will return the total count of deployments across
                                  all namespaces.
                                type: string
                              method:
                                default: GET
                                description: Method is the HTTP request type (GET
                                  or POST).
                                enum:
                                - GET
                                - POST
                                type: string
                              service:
                                description: Service is an API call to a JSON web
                                  service
                                properties:
                                  caBundle:
                                    description: CABundle is a PEM encoded CA bundle
                                      which will be used to validate the server certificate.
                                    type: string
                                  url:
                                    description: URL is the JSON web service URL.
                                      A typical form is `https://{service}.{namespace}:{port}/{path}`.
                                    type: string
                                required:
                                - url
                                type: object
                              urlPath:
                                description: URLPath is the URL path to be used in
                                  the HTTP GET or POST request to the Kubernetes API
                                  server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                  The format required is the same format used by the
                                  `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                  for details.
                                type: string
                            type: object
                          configMap:
                            description: ConfigMap is the ConfigMap reference.
                            properties:
                              name:
                                description: Name is the ConfigMap name.
                                type: string
                              namespace:
                                description: Namespace is the ConfigMap namespace.
                                type: string
                            required:
                            - name
                            type: object
                          imageRegistry:
                            description: ImageRegistry defines requests to an OCI/Docker
                              V2 registry to fetch image details.
                            properties:
                              imageRegistryCredentials:
                                description: ImageRegistryCredentials provides credentials
                                  that will be used for authentication with registry
                                properties:
                                  allowInsecureRegistry:
                                    description: AllowInsecureRegistry allows insecure
                                      access to a registry
                                    type: boolean
                                  providers:
                                    description: 'Providers specifies a list of OCI
                                      Registry names, whose authentication providers
                                      are provided It can be of one of these values:
                                      AWS, ACR, GCP, GHCR'
                                    items:
                                      description: ImageRegistryCredentialsProvidersType
                                        provides the list of credential providers
                                        required.
                                      enum:
                                      - default
                                      - amazon
                                      - azure
                                      - google
                                      - github
                                      type: string
                                    type: array
                                  secrets:
                                    description: Secrets specifies a list of secrets
                                      that are provided for credentials Secrets must
                                      live in the Kyverno namespace
                                    items:
                                      type: string
                                    type: array
                                type: object
                              jmesPath:
                                description: JMESPath is an optional JSON Match Expression
                                  that can be used to transform the ImageData struct
                                  returned as a result of processing the image reference.
                                type: string
                              reference:
                                description: 'Reference is image reference to a container
                                  image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
                                type: string
                            required:
                            - reference
                            type: object
                          name:
                            description: Name is the variable name.
                            type: string
                          variable:
                            description: Variable defines an arbitrary JMESPath context
                              variable that can be defined inline.
                            properties:
                              default:
                                description: Default is an optional arbitrary JSON
                                  object that the variable may take if the JMESPath
                                  expression evaluates to nil
                                x-kubernetes-preserve-unknown-fields: true
                              jmesPath:
                                description: JMESPath is an optional JMESPath Expression
                                  that can be used to transform the variable.
                                type: string
                              value:
                                description: Value is any arbitrary JSON object representable
                                  in YAML or JSON form.
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                        type: object
                      type: array
                    exclude:
                      description: ExcludeResources defines when this policy rule
                        should not be applied. The exclude criteria can include resource
                        information (e.g. kind, name, namespace, labels) and admission
                        review request information like the name or role.
                      properties:
                        all:
                          description: All allows specifying resources which will
                            be ANDed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: Annotations is a  map of annotations
                                      (key-value pairs of type string). Annotation
                                      keys and values support the wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: 'Name is the name of the resource.
                                      The name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character). NOTE: "Name" is being deprecated
                                      in favor of "Names".'
                                    type: string
                                  names:
                                    description: Names are the names of the resources.
                                      Each name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: 'NamespaceSelector is a label selector
                                      for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters
                                      `*` (matches zero or many characters) and `?`
                                      (matches one character).Wildcards allows writing
                                      label selectors like ["storage.k8s.io/*": "*"].
                                      Note that using ["*" : "*"] matches any key
                                      and value but does not match an empty label
                                      set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: Namespaces is a list of namespaces
                                      names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: 'Selector is a label selector. Label
                                      keys and values in `matchLabels` support the
                                      wildcard characters `*` (matches zero or many
                                      characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
                                      : "*"] matches any key and value but does not
                                      match an empty label set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: Subject contains a reference to the
                                    object or user identities a role binding applies
                                    to.  This can either hold a direct API object
                                    reference, or a value for non-objects such as
                                    user and group names.
                                  properties:
                                    apiGroup:
                                      description: APIGroup holds the API group of
                                        the referenced subject. Defaults to "" for
                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
                                        for User and Group subjects.
                                      type: string
                                    kind:
                                      description: Kind of object being referenced.
                                        Values defined by this API group are "User",
                                        "Group", and "ServiceAccount". If the Authorizer
                                        does not recognized the kind value, the Authorizer
                                        should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: Namespace of the referenced object.  If
                                        the object kind is non-namespace, such as
                                        "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        any:
                          description: Any allows specifying resources which will
                            be ORed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: Annotations is a  map of annotations
                                      (key-value pairs of type string). Annotation
                                      keys and values support the wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: 'Name is the name of the resource.
                                      The name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character). NOTE: "Name" is being deprecated
                                      in favor of "Names".'
                                    type: string
                                  names:
                                    description: Names are the names of the resources.
                                      Each name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: 'NamespaceSelector is a label selector
                                      for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters
                                      `*` (matches zero or many characters) and `?`
                                      (matches one character).Wildcards allows writing
                                      label selectors like ["storage.k8s.io/*": "*"].
                                      Note that using ["*" : "*"] matches any key
                                      and value but does not match an empty label
                                      set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: Namespaces is a list of namespaces
                                      names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: 'Selector is a label selector. Label
                                      keys and values in `matchLabels` support the
                                      wildcard characters `*` (matches zero or many
                                      characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
                                      : "*"] matches any key and value but does not
                                      match an empty label set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: Subject contains a reference to the
                                    object or user identities a role binding applies
                                    to.  This can either hold a direct API object
                                    reference, or a value for non-objects such as
                                    user and group names.
                                  properties:
                                    apiGroup:
                                      description: APIGroup holds the API group of
                                        the referenced subject. Defaults to "" for
                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
                                        for User and Group subjects.
                                      type: string
                                    kind:
                                      description: Kind of object being referenced.
                                        Values defined by this API group are "User",
                                        "Group", and "ServiceAccount". If the Authorizer
                                        does not recognized the kind value, the Authorizer
                                        should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: Namespace of the referenced object.  If
                                        the object kind is non-namespace, such as
                                        "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified. Requires at least
                            one tag to be specified when under MatchResources. Specifying
                            ResourceDescription directly under match is being deprecated.
                            Please specify under "any" or "all" instead.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: Annotations is a  map of annotations (key-value
                                pairs of type string). Annotation keys and values
                                support the wildcard characters "*" (matches zero
                                or many characters) and "?" (matches at least one
                                character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: 'Name is the name of the resource. The
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".'
                              type: string
                            names:
                              description: Names are the names of the resources. Each
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: 'NamespaceSelector is a label selector
                                for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*`
                                (matches zero or many characters) and `?` (matches
                                one character).Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: Namespaces is a list of namespaces names.
                                Each name supports wildcard characters "*" (matches
                                zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: 'Selector is a label selector. Label keys
                                and values in `matchLabels` support the wildcard characters
                                `*` (matches zero or many characters) and `?` (matches
                                one character). Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: Subject contains a reference to the object
                              or user identities a role binding applies to.  This
                              can either hold a direct API object reference, or a
                              value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: APIGroup holds the API group of the referenced
                                  subject. Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User
                                  and Group subjects.
                                type: string
                              kind:
                                description: Kind of object being referenced. Values
                                  defined by this API group are "User", "Group", and
                                  "ServiceAccount". If the Authorizer does not recognized
                                  the kind value, the Authorizer should report an
                                  error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: Namespace of the referenced object.  If
                                  the object kind is non-namespace, such as "User"
                                  or "Group", and this value is not empty the Authorizer
                                  should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    generate:
                      description: Generation is used to create new resources.
                      properties:
                        apiVersion:
                          description: APIVersion specifies resource apiVersion.
                          type: string
                        clone:
                          description: Clone specifies the source resource used to
                            populate each generated resource. At most one of Data
                            or Clone can be specified. If neither are provided, the
                            generated resource will be created with default data only.
                          properties:
                            name:
                              description: Name specifies name of the resource.
                              type: string
                            namespace:
                              description: Namespace specifies source resource namespace.
                              type: string
                          type: object
                        cloneList:
                          description: CloneList specifies the list of source resource
                            used to populate each generated resource.
                          properties:
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            namespace:
                              description: Namespace specifies source resource namespace.
                              type: string
                            selector:
                              description: Selector is a label selector. Label keys
                                and values in `matchLabels`. wildcard characters are
                                not supported.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        data:
                          description: Data provides the resource declaration used
                            to populate each generated resource. At most one of Data
                            or Clone must be specified. If neither are provided, the
                            generated resource will be created with default data only.
                          x-kubernetes-preserve-unknown-fields: true
                        kind:
                          description: Kind specifies resource kind.
                          type: string
                        name:
                          description: Name specifies the resource name.
                          type: string
                        namespace:
                          description: Namespace specifies resource namespace.
                          type: string
                        synchronize:
                          description: Synchronize controls if generated resources
                            should be kept in-sync with their source resource. If
                            Synchronize is set to "true" changes to generated resources
                            will be overwritten with resource data from Data or the
                            resource specified in the Clone declaration. Optional.
                            Defaults to "false" if not specified.
                          type: boolean
                      type: object
                    imageExtractors:
                      additionalProperties:
                        items:
                          properties:
                            jmesPath:
                              description: 'JMESPath is an optional JMESPath expression
                                to apply to the image value. This is useful when the
                                extracted image begins with a prefix like ''docker://''.
                                The ''trim_prefix'' function may be used to trim the
                                prefix: trim_prefix(@, ''docker://''). Note - Image
                                digest mutation may not be used when applying a JMESPAth
                                to an image.'
                              type: string
                            key:
                              description: Key is an optional name of the field within
                                'path' that will be used to uniquely identify an image.
                                Note - this field MUST be unique.
                              type: string
                            name:
                              description: Name is the entry the image will be available
                                under 'images.<name>' in the context. If this field
                                is not defined, image entries will appear under 'images.custom'.
                              type: string
                            path:
                              description: Path is the path to the object containing
                                the image field in a custom resource. It should be
                                slash-separated. Each slash-separated key must be
                                a valid YAML key or a wildcard '*'. Wildcard keys
                                are expanded in case of arrays or objects.
                              type: string
                            value:
                              description: Value is an optional name of the field
                                within 'path' that points to the image URI. This is
                                useful when a custom 'key' is also defined.
                              type: string
                          required:
                          - path
                          type: object
                        type: array
                      description: ImageExtractors defines a mapping from kinds to
                        ImageExtractorConfigs. This config is only valid for verifyImages
                        rules.
                      type: object
                    match:
                      description: MatchResources defines when this policy rule should
                        be applied. The match criteria can include resource information
                        (e.g. kind, name, namespace, labels) and admission review
                        request information like the user name or role. At least one
                        kind is required.
                      properties:
                        all:
                          description: All allows specifying resources which will
                            be ANDed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: Annotations is a  map of annotations
                                      (key-value pairs of type string). Annotation
                                      keys and values support the wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: 'Name is the name of the resource.
                                      The name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character). NOTE: "Name" is being deprecated
                                      in favor of "Names".'
                                    type: string
                                  names:
                                    description: Names are the names of the resources.
                                      Each name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: 'NamespaceSelector is a label selector
                                      for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters
                                      `*` (matches zero or many characters) and `?`
                                      (matches one character).Wildcards allows writing
                                      label selectors like ["storage.k8s.io/*": "*"].
                                      Note that using ["*" : "*"] matches any key
                                      and value but does not match an empty label
                                      set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: Namespaces is a list of namespaces
                                      names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: 'Selector is a label selector. Label
                                      keys and values in `matchLabels` support the
                                      wildcard characters `*` (matches zero or many
                                      characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
                                      : "*"] matches any key and value but does not
                                      match an empty label set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: Subject contains a reference to the
                                    object or user identities a role binding applies
                                    to.  This can either hold a direct API object
                                    reference, or a value for non-objects such as
                                    user and group names.
                                  properties:
                                    apiGroup:
                                      description: APIGroup holds the API group of
                                        the referenced subject. Defaults to "" for
                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
                                        for User and Group subjects.
                                      type: string
                                    kind:
                                      description: Kind of object being referenced.
                                        Values defined by this API group are "User",
                                        "Group", and "ServiceAccount". If the Authorizer
                                        does not recognized the kind value, the Authorizer
                                        should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: Namespace of the referenced object.  If
                                        the object kind is non-namespace, such as
                                        "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        any:
                          description: Any allows specifying resources which will
                            be ORed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: Annotations is a  map of annotations
                                      (key-value pairs of type string). Annotation
                                      keys and values support the wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: 'Name is the name of the resource.
                                      The name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character). NOTE: "Name" is being deprecated
                                      in favor of "Names".'
                                    type: string
                                  names:
                                    description: Names are the names of the resources.
                                      Each name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: 'NamespaceSelector is a label selector
                                      for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters
                                      `*` (matches zero or many characters) and `?`
                                      (matches one character).Wildcards allows writing
                                      label selectors like ["storage.k8s.io/*": "*"].
                                      Note that using ["*" : "*"] matches any key
                                      and value but does not match an empty label
                                      set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: Namespaces is a list of namespaces
                                      names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: 'Selector is a label selector. Label
                                      keys and values in `matchLabels` support the
                                      wildcard characters `*` (matches zero or many
                                      characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
                                      : "*"] matches any key and value but does not
                                      match an empty label set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: Subject contains a reference to the
                                    object or user identities a role binding applies
                                    to.  This can either hold a direct API object
                                    reference, or a value for non-objects such as
                                    user and group names.
                                  properties:
                                    apiGroup:
                                      description: APIGroup holds the API group of
                                        the referenced subject. Defaults to "" for
                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
                                        for User and Group subjects.
                                      type: string
                                    kind:
                                      description: Kind of object being referenced.
                                        Values defined by this API group are "User",
                                        "Group", and "ServiceAccount". If the Authorizer
                                        does not recognized the kind value, the Authorizer
                                        should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: Namespace of the referenced object.  If
                                        the object kind is non-namespace, such as
                                        "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified. Requires at least
                            one tag to be specified when under MatchResources. Specifying
                            ResourceDescription directly under match is being deprecated.
                            Please specify under "any" or "all" instead.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: Annotations is a  map of annotations (key-value
                                pairs of type string). Annotation keys and values
                                support the wildcard characters "*" (matches zero
                                or many characters) and "?" (matches at least one
                                character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: 'Name is the name of the resource. The
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".'
                              type: string
                            names:
                              description: Names are the names of the resources. Each
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: 'NamespaceSelector is a label selector
                                for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*`
                                (matches zero or many characters) and `?` (matches
                                one character).Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: Namespaces is a list of namespaces names.
                                Each name supports wildcard characters "*" (matches
                                zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: 'Selector is a label selector. Label keys
                                and values in `matchLabels` support the wildcard characters
                                `*` (matches zero or many characters) and `?` (matches
                                one character). Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: Subject contains a reference to the object
                              or user identities a role binding applies to.  This
                              can either hold a direct API object reference, or a
                              value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: APIGroup holds the API group of the referenced
                                  subject. Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User
                                  and Group subjects.
                                type: string
                              kind:
                                description: Kind of object being referenced. Values
                                  defined by this API group are "User", "Group", and
                                  "ServiceAccount". If the Authorizer does not recognized
                                  the kind value, the Authorizer should report an
                                  error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: Namespace of the referenced object.  If
                                  the object kind is non-namespace, such as "User"
                                  or "Group", and this value is not empty the Authorizer
                                  should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    mutate:
                      description: Mutation is used to modify matching resources.
                      properties:
                        foreach:
                          description: ForEach applies mutation rules to a list of
                            sub-elements by creating a context for each entry in the
                            list and looping over it to apply the specified logic.
                          items:
                            description: ForEachMutation applies mutation rules to
                              a list of sub-elements by creating a context for each
                              entry in the list and looping over it to apply the specified
                              logic.
                            properties:
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: ContextEntry adds variables and data
                                    sources to a rule Context. Either a ConfigMap
                                    reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: APICall is an HTTP request to the
                                        Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context
                                        with the name for the context entry.
                                      properties:
                                        data:
                                          description: Data specifies the POST data
                                            sent to the server.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the JSON response returned from the server.
                                            For example a JMESPath of "items | length(@)"
                                            applied to the API server response for
                                            the URLPath "/apis/apps/v1/deployments"
                                            will return the total count of deployments
                                            across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST).
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: Service is an API call to a
                                            JSON web service
                                          properties:
                                            caBundle:
                                              description: CABundle is a PEM encoded
                                                CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: URL is the JSON web service
                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: URLPath is the URL path to
                                            be used in the HTTP GET or POST request
                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
                                            or  "/apis/apps/v1/deployments"). The
                                            format required is the same format used
                                            by the `kubectl get --raw` command. See
                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    imageRegistry:
                                      description: ImageRegistry defines requests
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry
                                              type: boolean
                                            providers:
                                              description: 'Providers specifies a
                                                list of OCI Registry names, whose
                                                authentication providers are provided
                                                It can be of one of these values:
                                                AWS, ACR, GCP, GHCR'
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: Secrets specifies a list
                                                of secrets that are provided for credentials
                                                Secrets must live in the Kyverno namespace
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the ImageData struct returned as a result
                                            of processing the image reference.
                                          type: string
                                        reference:
                                          description: 'Reference is image reference
                                            to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest'
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: Default is an optional arbitrary
                                            JSON object that the variable may take
                                            if the JMESPath expression evaluates to
                                            nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: JMESPath is an optional JMESPath
                                            Expression that can be used to transform
                                            the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              foreach:
                                description: Foreach declares a nested foreach iterator
                                x-kubernetes-preserve-unknown-fields: true
                              list:
                                description: List specifies a JMESPath expression
                                  that results in one or more elements to which the
                                  validation logic is applied.
                                type: string
                              order:
                                description: Order defines the iteration order on
                                  the list. Can be Ascending to iterate from first
                                  to last element or Descending to iterate in from
                                  last to first element.
                                enum:
                                - Ascending
                                - Descending
                                type: string
                              patchStrategicMerge:
                                description: PatchStrategicMerge is a strategic merge
                                  patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                  and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                                x-kubernetes-preserve-unknown-fields: true
                              patchesJson6902:
                                description: PatchesJSON6902 is a list of RFC 6902
                                  JSON Patch declarations used to modify resources.
                                  See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                                type: string
                              preconditions:
                                description: 'AnyAllConditions are used to determine
                                  if a policy rule should be applied by evaluating
                                  a set of conditions. The declaration can contain
                                  nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
                                properties:
                                  all:
                                    description: AllConditions enable variable-based
                                      conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A
                                      condition can reference object data using JMESPath
                                      notation. Here, all of the conditions need to
                                      pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: 'Operator is the conditional
                                            operation to perform. Valid operators
                                            are: Equals, NotEquals, In, AnyIn, AllIn,
                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan,
                                            DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan'
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: Value is the conditional value,
                                            or set of values. The values can be fixed
                                            set or can be variables declared using
                                            JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                  any:
                                    description: AnyConditions enable variable-based
                                      conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A
                                      condition can reference object data using JMESPath
                                      notation. Here, at least one of the conditions
                                      need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: 'Operator is the conditional
                                            operation to perform. Valid operators
                                            are: Equals, NotEquals, In, AnyIn, AllIn,
                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan,
                                            DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan'
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: Value is the conditional value,
                                            or set of values. The values can be fixed
                                            set or can be variables declared using
                                            JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                type: object
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                        patchStrategicMerge:
                          description: PatchStrategicMerge is a strategic merge patch
                            used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                          x-kubernetes-preserve-unknown-fields: true
                        patchesJson6902:
                          description: PatchesJSON6902 is a list of RFC 6902 JSON
                            Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                          type: string
                        targets:
                          description: Targets defines the target resources to be
                            mutated.
                          items:
                            description: TargetResourceSpec defines targets for mutating
                              existing resources.
                            properties:
                              apiVersion:
                                description: APIVersion specifies resource apiVersion.
                                type: string
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: ContextEntry adds variables and data
                                    sources to a rule Context. Either a ConfigMap
                                    reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: APICall is an HTTP request to the
                                        Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context
                                        with the name for the context entry.
                                      properties:
                                        data:
                                          description: Data specifies the POST data
                                            sent to the server.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the JSON response returned from the server.
                                            For example a JMESPath of "items | length(@)"
                                            applied to the API server response for
                                            the URLPath "/apis/apps/v1/deployments"
                                            will return the total count of deployments
                                            across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST).
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: Service is an API call to a
                                            JSON web service
                                          properties:
                                            caBundle:
                                              description: CABundle is a PEM encoded
                                                CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: URL is the JSON web service
                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: URLPath is the URL path to
                                            be used in the HTTP GET or POST request
                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
                                            or  "/apis/apps/v1/deployments"). The
                                            format required is the same format used
                                            by the `kubectl get --raw` command. See
                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    imageRegistry:
                                      description: ImageRegistry defines requests
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry
                                              type: boolean
                                            providers:
                                              description: 'Providers specifies a
                                                list of OCI Registry names, whose
                                                authentication providers are provided
                                                It can be of one of these values:
                                                AWS, ACR, GCP, GHCR'
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: Secrets specifies a list
                                                of secrets that are provided for credentials
                                                Secrets must live in the Kyverno namespace
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the ImageData struct returned as a result
                                            of processing the image reference.
                                          type: string
                                        reference:
                                          description: 'Reference is image reference
                                            to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest'
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: Default is an optional arbitrary
                                            JSON object that the variable may take
                                            if the JMESPath expression evaluates to
                                            nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: JMESPath is an optional JMESPath
                                            Expression that can be used to transform
                                            the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              kind:
                                description: Kind specifies resource kind.
                                type: string
                              name:
                                description: Name specifies the resource name.
                                type: string
                              namespace:
                                description: Namespace specifies resource namespace.
                                type: string
                              preconditions:
                                description: 'Preconditions are used to determine
                                  if a policy rule should be applied by evaluating
                                  a set of conditions. The declaration can contain
                                  nested `any` or `all` statements. A direct list
                                  of conditions (without `any` or `all` statements
                                  is supported for backwards compatibility but will
                                  be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                      type: object
                    name:
                      description: Name is a label to identify the rule, It must be
                        unique within the policy.
                      maxLength: 63
                      type: string
                    preconditions:
                      description: 'Preconditions are used to determine if a policy
                        rule should be applied by evaluating a set of conditions.
                        The declaration can contain nested `any` or `all` statements.
                        A direct list of conditions (without `any` or `all` statements
                        is supported for backwards compatibility but will be deprecated
                        in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
                      x-kubernetes-preserve-unknown-fields: true
                    validate:
                      description: Validation is used to validate matching resources.
                      properties:
                        anyPattern:
                          description: AnyPattern specifies list of validation patterns.
                            At least one of the patterns must be satisfied for the
                            validation rule to succeed.
                          x-kubernetes-preserve-unknown-fields: true
                        cel:
                          description: CEL allows validation checks using the Common
                            Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
                          properties:
                            auditAnnotations:
                              description: AuditAnnotations contains CEL expressions
                                which are used to produce audit annotations for the
                                audit event of the API request.
                              items:
                                description: AuditAnnotation describes how to produce
                                  an audit annotation for an API request.
                                properties:
                                  key:
                                    description: "key specifies the audit annotation
                                      key. The audit annotation keys of a ValidatingAdmissionPolicy
                                      must be unique. The key must be a qualified
                                      name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than
                                      63 bytes in length. \n The key is combined with
                                      the resource name of the ValidatingAdmissionPolicy
                                      to construct an audit annotation key: \"{ValidatingAdmissionPolicy
                                      name}/{key}\". \n If an admission webhook uses
                                      the same resource name as this ValidatingAdmissionPolicy
                                      and the same audit annotation key, the annotation
                                      key will be identical. In this case, the first
                                      annotation written with the key will be included
                                      in the audit event and all subsequent annotations
                                      with the same key will be discarded. \n Required."
                                    type: string
                                  valueExpression:
                                    description: "valueExpression represents the expression
                                      which is evaluated by CEL to produce an audit
                                      annotation value. The expression must evaluate
                                      to either a string or null value. If the expression
                                      evaluates to a string, the audit annotation
                                      is included with the string value. If the expression
                                      evaluates to null or empty string the audit
                                      annotation will be omitted. The valueExpression
                                      may be no longer than 5kb in length. If the
                                      result of the valueExpression is more than 10kb
                                      in length, it will be truncated to 10kb. \n
                                      If multiple ValidatingAdmissionPolicyBinding
                                      resources match an API request, then the valueExpression
                                      will be evaluated for each binding. All unique
                                      values produced by the valueExpressions will
                                      be joined together in a comma-separated list.
                                      \n Required."
                                    type: string
                                required:
                                - key
                                - valueExpression
                                type: object
                              type: array
                            expressions:
                              description: Expressions is a list of CELExpression
                                types.
                              items:
                                description: Validation specifies the CEL expression
                                  which is used to apply the validation.
                                properties:
                                  expression:
                                    description: "Expression represents the expression
                                      which will be evaluated by CEL. ref: https://github.com/google/cel-spec
                                      CEL expressions have access to the contents
                                      of the API request/response, organized into
                                      CEL variables as well as some other useful variables:
                                      \n - 'object' - The object from the incoming
                                      request. The value is null for DELETE requests.
                                      - 'oldObject' - The existing object. The value
                                      is null for CREATE requests. - 'request' - Attributes
                                      of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
                                      - 'params' - Parameter resource referred to
                                      by the policy binding being evaluated. Only
                                      populated if the policy has a ParamKind. - 'authorizer'
                                      - A CEL Authorizer. May be used to perform authorization
                                      checks for the principal (user or service account)
                                      of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                                      - 'authorizer.requestResource' - A CEL ResourceCheck
                                      constructed from the 'authorizer' and configured
                                      with the request resource. \n The `apiVersion`,
                                      `kind`, `metadata.name` and `metadata.generateName`
                                      are always accessible from the root of the object.
                                      No other metadata properties are accessible.
                                      \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
                                      are accessible. Accessible property names are
                                      escaped according to the following rules when
                                      accessed in the expression: - '__' escapes to
                                      '__underscores__' - '.' escapes to '__dot__'
                                      - '-' escapes to '__dash__' - '/' escapes to
                                      '__slash__' - Property names that exactly match
                                      a CEL RESERVED keyword escape to '__{keyword}__'.
                                      The keywords are: \"true\", \"false\", \"null\",
                                      \"in\", \"as\", \"break\", \"const\", \"continue\",
                                      \"else\", \"for\", \"function\", \"if\", \"import\",
                                      \"let\", \"loop\", \"package\", \"namespace\",
                                      \"return\". Examples: - Expression accessing
                                      a property named \"namespace\": {\"Expression\":
                                      \"object.__namespace__ > 0\"} - Expression accessing
                                      a property named \"x-prop\": {\"Expression\":
                                      \"object.x__dash__prop > 0\"} - Expression accessing
                                      a property named \"redact__d\": {\"Expression\":
                                      \"object.redact__underscores__d > 0\"} \n Equality
                                      on arrays with list type of 'set' or 'map' ignores
                                      element order, i.e. [1, 2] == [2, 1]. Concatenation
                                      on arrays with x-kubernetes-list-type use the
                                      semantics of the list type: - 'set': `X + Y`
                                      performs a union where the array positions of
                                      all elements in `X` are preserved and non-intersecting
                                      elements in `Y` are appended, retaining their
                                      partial order. - 'map': `X + Y` performs a merge
                                      where the array positions of all keys in `X`
                                      are preserved but the values are overwritten
                                      by values in `Y` when the key sets of `X` and
                                      `Y` intersect. Elements in `Y` with non-intersecting
                                      keys are appended, retaining their partial order.
                                      Required."
                                    type: string
                                  message:
                                    description: 'Message represents the message displayed
                                      when validation fails. The message is required
                                      if the Expression contains line breaks. The
                                      message must not contain line breaks. If unset,
                                      the message is "failed rule: {Rule}". e.g. "must
                                      be a URL with the host matching spec.host" If
                                      the Expression contains line breaks. Message
                                      is required. The message must not contain line
                                      breaks. If unset, the message is "failed Expression:
                                      {Expression}".'
                                    type: string
                                  messageExpression:
                                    description: 'messageExpression declares a CEL
                                      expression that evaluates to the validation
                                      failure message that is returned when this rule
                                      fails. Since messageExpression is used as a
                                      failure message, it must evaluate to a string.
                                      If both message and messageExpression are present
                                      on a validation, then messageExpression will
                                      be used if validation fails. If messageExpression
                                      results in a runtime error, the runtime error
                                      is logged, and the validation failure message
                                      is produced as if the messageExpression field
                                      were unset. If messageExpression evaluates to
                                      an empty string, a string with only spaces,
                                      or a string that contains line breaks, then
                                      the validation failure message will also be
                                      produced as if the messageExpression field were
                                      unset, and the fact that messageExpression produced
                                      an empty string/string with only spaces/string
                                      with line breaks will be logged. messageExpression
                                      has access to all the same variables as the
                                      `expression` except for ''authorizer'' and ''authorizer.requestResource''.
                                      Example: "object.x must be less than max ("+string(params.max)+")"'
                                    type: string
                                  reason:
                                    description: 'Reason represents a machine-readable
                                      description of why this validation failed. If
                                      this is the first validation in the list to
                                      fail, this reason, as well as the corresponding
                                      HTTP response code, are used in the HTTP response
                                      to the client. The currently supported reasons
                                      are: "Unauthorized", "Forbidden", "Invalid",
                                      "RequestEntityTooLarge". If not set, StatusReasonInvalid
                                      is used in the response to the client.'
                                    type: string
                                required:
                                - expression
                                type: object
                              type: array
                            paramKind:
                              description: ParamKind is a tuple of Group Kind and
                                Version.
                              properties:
                                apiVersion:
                                  description: APIVersion is the API group version
                                    the resources belong to. In format of "group/version".
                                    Required.
                                  type: string
                                kind:
                                  description: Kind is the API kind the resources
                                    belong to. Required.
                                  type: string
                              type: object
                              x-kubernetes-map-type: atomic
                            paramRef:
                              description: ParamRef references a parameter resource.
                              properties:
                                name:
                                  description: Name of the resource being referenced.
                                  type: string
                                namespace:
                                  description: Namespace of the referenced resource.
                                    Should be empty for the cluster-scoped resources
                                  type: string
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        deny:
                          description: Deny defines conditions used to pass or fail
                            a validation rule.
                          properties:
                            conditions:
                              description: 'Multiple conditions can be declared under
                                an `any` or `all` statement. A direct list of conditions
                                (without `any` or `all` statements) is also supported
                                for backwards compatibility but will be deprecated
                                in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
                              x-kubernetes-preserve-unknown-fields: true
                          type: object
                        foreach:
                          description: ForEach applies validate rules to a list of
                            sub-elements by creating a context for each entry in the
                            list and looping over it to apply the specified logic.
                          items:
                            description: ForEachValidation applies validate rules
                              to a list of sub-elements by creating a context for
                              each entry in the list and looping over it to apply
                              the specified logic.
                            properties:
                              anyPattern:
                                description: AnyPattern specifies list of validation
                                  patterns. At least one of the patterns must be satisfied
                                  for the validation rule to succeed.
                                x-kubernetes-preserve-unknown-fields: true
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: ContextEntry adds variables and data
                                    sources to a rule Context. Either a ConfigMap
                                    reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: APICall is an HTTP request to the
                                        Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context
                                        with the name for the context entry.
                                      properties:
                                        data:
                                          description: Data specifies the POST data
                                            sent to the server.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the JSON response returned from the server.
                                            For example a JMESPath of "items | length(@)"
                                            applied to the API server response for
                                            the URLPath "/apis/apps/v1/deployments"
                                            will return the total count of deployments
                                            across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST).
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: Service is an API call to a
                                            JSON web service
                                          properties:
                                            caBundle:
                                              description: CABundle is a PEM encoded
                                                CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: URL is the JSON web service
                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: URLPath is the URL path to
                                            be used in the HTTP GET or POST request
                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
                                            or  "/apis/apps/v1/deployments"). The
                                            format required is the same format used
                                            by the `kubectl get --raw` command. See
                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    imageRegistry:
                                      description: ImageRegistry defines requests
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry
                                              type: boolean
                                            providers:
                                              description: 'Providers specifies a
                                                list of OCI Registry names, whose
                                                authentication providers are provided
                                                It can be of one of these values:
                                                AWS, ACR, GCP, GHCR'
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: Secrets specifies a list
                                                of secrets that are provided for credentials
                                                Secrets must live in the Kyverno namespace
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the ImageData struct returned as a result
                                            of processing the image reference.
                                          type: string
                                        reference:
                                          description: 'Reference is image reference
                                            to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest'
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: Default is an optional arbitrary
                                            JSON object that the variable may take
                                            if the JMESPath expression evaluates to
                                            nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: JMESPath is an optional JMESPath
                                            Expression that can be used to transform
                                            the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              deny:
                                description: Deny defines conditions used to pass
                                  or fail a validation rule.
                                properties:
                                  conditions:
                                    description: 'Multiple conditions can be declared
                                      under an `any` or `all` statement. A direct
                                      list of conditions (without `any` or `all` statements)
                                      is also supported for backwards compatibility
                                      but will be deprecated in the next major release.
                                      See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              elementScope:
                                description: ElementScope specifies whether to use
                                  the current list element as the scope for validation.
                                  Defaults to "true" if not specified. When set to
                                  "false", "request.object" is used as the validation
                                  scope within the foreach block to allow referencing
                                  other elements in the subtree.
                                type: boolean
                              foreach:
                                description: Foreach declares a nested foreach iterator
                                x-kubernetes-preserve-unknown-fields: true
                              list:
                                description: List specifies a JMESPath expression
                                  that results in one or more elements to which the
                                  validation logic is applied.
                                type: string
                              pattern:
                                description: Pattern specifies an overlay-style pattern
                                  used to check resources.
                                x-kubernetes-preserve-unknown-fields: true
                              preconditions:
                                description: 'AnyAllConditions are used to determine
                                  if a policy rule should be applied by evaluating
                                  a set of conditions. The declaration can contain
                                  nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
                                properties:
                                  all:
                                    description: AllConditions enable variable-based
                                      conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A
                                      condition can reference object data using JMESPath
                                      notation. Here, all of the conditions need to
                                      pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: 'Operator is the conditional
                                            operation to perform. Valid operators
                                            are: Equals, NotEquals, In, AnyIn, AllIn,
                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan,
                                            DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan'
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: Value is the conditional value,
                                            or set of values. The values can be fixed
                                            set or can be variables declared using
                                            JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                  any:
                                    description: AnyConditions enable variable-based
                                      conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A
                                      condition can reference object data using JMESPath
                                      notation. Here, at least one of the conditions
                                      need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: 'Operator is the conditional
                                            operation to perform. Valid operators
                                            are: Equals, NotEquals, In, AnyIn, AllIn,
                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan,
                                            DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan'
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: Value is the conditional value,
                                            or set of values. The values can be fixed
                                            set or can be variables declared using
                                            JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                type: object
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                        manifests:
                          description: Manifest specifies conditions for manifest
                            verification
                          properties:
                            annotationDomain:
                              description: AnnotationDomain is custom domain of annotation
                                for message and signature. Default is "cosign.sigstore.dev".
                              type: string
                            attestors:
                              description: Attestors specified the required attestors
                                (i.e. authorities)
                              items:
                                properties:
                                  count:
                                    description: Count specifies the required number
                                      of entries that must match. If the count is
                                      null, all entries must match (a logical AND).
                                      If the count is 1, at least one entry must match
                                      (a logical OR). If the count contains a value
                                      N, then N must be less than or equal to the
                                      size of entries, and at least N entries must
                                      match.
                                    minimum: 1
                                    type: integer
                                  entries:
                                    description: Entries contains the available attestors.
                                      An attestor can be a static key, attributes
                                      for keyless verification, or a nested attestor
                                      declaration.
                                    items:
                                      properties:
                                        annotations:
                                          additionalProperties:
                                            type: string
                                          description: Annotations are used for image
                                            verification. Every specified key-value
                                            pair must exist and match in the verified
                                            payload. The payload may contain other
                                            key-value pairs.
                                          type: object
                                        attestor:
                                          description: Attestor is a nested AttestorSet
                                            used to specify a more complex set of
                                            match authorities
                                          x-kubernetes-preserve-unknown-fields: true
                                        certificates:
                                          description: Certificates specifies one
                                            or more certificates
                                          properties:
                                            cert:
                                              description: Certificate is an optional
                                                PEM encoded public certificate.
                                              type: string
                                            certChain:
                                              description: CertificateChain is an
                                                optional PEM encoded set of certificates
                                                used to verify
                                              type: string
                                            rekor:
                                              description: Rekor provides configuration
                                                for the Rekor transparency log service.
                                                If the value is nil, Rekor is not
                                                checked. If an empty object is provided
                                                the public instance of Rekor (https://rekor.sigstore.dev)
                                                is used.
                                              properties:
                                                ignoreSCT:
                                                  description: IgnoreSCT requires
                                                    that a certificate contain an
                                                    embedded SCT during verification.
                                                    An SCT is proof of inclusion in
                                                    a certificate transparency log.
                                                  type: boolean
                                                ignoreTlog:
                                                  description: IgnoreTlog skip tlog
                                                    verification
                                                  type: boolean
                                                pubkey:
                                                  description: RekorPubKey is an optional
                                                    PEM encoded public key to use
                                                    for a custom Rekor. If set, is
                                                    used to validate signatures on
                                                    log entries from Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public log https://rekor.sigstore.dev.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                          type: object
                                        keyless:
                                          description: Keyless is a set of attribute
                                            used to verify a Sigstore keyless attestor.
                                            See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                          properties:
                                            additionalExtensions:
                                              additionalProperties:
                                                type: string
                                              description: AdditionalExtensions are
                                                certificate-extensions used for keyless
                                                signing.
                                              type: object
                                            issuer:
                                              description: Issuer is the certificate
                                                issuer used for keyless signing.
                                              type: string
                                            rekor:
                                              description: Rekor provides configuration
                                                for the Rekor transparency log service.
                                                If the value is nil, Rekor is not
                                                checked and a root certificate chain
                                                is expected instead. If an empty object
                                                is provided the public instance of
                                                Rekor (https://rekor.sigstore.dev)
                                                is used.
                                              properties:
                                                ignoreSCT:
                                                  description: IgnoreSCT requires
                                                    that a certificate contain an
                                                    embedded SCT during verification.
                                                    An SCT is proof of inclusion in
                                                    a certificate transparency log.
                                                  type: boolean
                                                ignoreTlog:
                                                  description: IgnoreTlog skip tlog
                                                    verification
                                                  type: boolean
                                                pubkey:
                                                  description: RekorPubKey is an optional
                                                    PEM encoded public key to use
                                                    for a custom Rekor. If set, is
                                                    used to validate signatures on
                                                    log entries from Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public log https://rekor.sigstore.dev.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            roots:
                                              description: Roots is an optional set
                                                of PEM encoded trusted root certificates.
                                                If not provided, the system roots
                                                are used.
                                              type: string
                                            subject:
                                              description: Subject is the verified
                                                identity used for keyless signing,
                                                for example the email address
                                              type: string
                                          type: object
                                        keys:
                                          description: Keys specifies one or more
                                            public keys
                                          properties:
                                            kms:
                                              description: 'KMS provides the URI to
                                                the public key stored in a Key Management
                                                System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                              type: string
                                            publicKeys:
                                              description: Keys is a set of X.509
                                                public keys used to verify image signatures.
                                                The keys can be directly specified
                                                or can be a variable reference to
                                                a key specified in a ConfigMap (see
                                                https://kyverno.io/docs/writing-policies/variables/),
                                                or reference a standard Kubernetes
                                                Secret elsewhere in the cluster by
                                                specifying it in the format "k8s://<namespace>/<secret_name>".
                                                The named Secret must specify a key
                                                `cosign.pub` containing the public
                                                key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                When multiple keys are specified each
                                                key is processed as a separate staticKey
                                                entry (.attestors[*].entries.keys)
                                                within the set of attestors and the
                                                count is applied across the keys.
                                              type: string
                                            rekor:
                                              description: Rekor provides configuration
                                                for the Rekor transparency log service.
                                                If the value is nil, or an empty object
                                                is provided, the public instance of
                                                Rekor (https://rekor.sigstore.dev)
                                                is used.
                                              properties:
                                                ignoreSCT:
                                                  description: IgnoreSCT requires
                                                    that a certificate contain an
                                                    embedded SCT during verification.
                                                    An SCT is proof of inclusion in
                                                    a certificate transparency log.
                                                  type: boolean
                                                ignoreTlog:
                                                  description: IgnoreTlog skip tlog
                                                    verification
                                                  type: boolean
                                                pubkey:
                                                  description: RekorPubKey is an optional
                                                    PEM encoded public key to use
                                                    for a custom Rekor. If set, is
                                                    used to validate signatures on
                                                    log entries from Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public log https://rekor.sigstore.dev.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            secret:
                                              description: Reference to a Secret resource
                                                that contains a public key
                                              properties:
                                                name:
                                                  description: Name of the secret.
                                                    The provided secret must contain
                                                    a key named cosign.pub.
                                                  type: string
                                                namespace:
                                                  description: Namespace name where
                                                    the Secret exists.
                                                  type: string
                                              required:
                                              - name
                                              - namespace
                                              type: object
                                            signatureAlgorithm:
                                              default: sha256
                                              description: Specify signature algorithm
                                                for public keys. Supported values
                                                are sha256 and sha512
                                              type: string
                                          type: object
                                        repository:
                                          description: Repository is an optional alternate
                                            OCI repository to use for signatures and
                                            attestations that match this rule. If
                                            specified Repository will override other
                                            OCI image repository locations for this
                                            Attestor.
                                          type: string
                                      type: object
                                    type: array
                                type: object
                              type: array
                            dryRun:
                              description: DryRun configuration
                              properties:
                                enable:
                                  type: boolean
                                namespace:
                                  type: string
                              type: object
                            ignoreFields:
                              description: Fields which will be ignored while comparing
                                manifests.
                              items:
                                properties:
                                  fields:
                                    items:
                                      type: string
                                    type: array
                                  objects:
                                    items:
                                      properties:
                                        group:
                                          type: string
                                        kind:
                                          type: string
                                        name:
                                          type: string
                                        namespace:
                                          type: string
                                        version:
                                          type: string
                                      type: object
                                    type: array
                                type: object
                              type: array
                            repository:
                              description: Repository is an optional alternate OCI
                                repository to use for resource bundle reference. The
                                repository can be overridden per Attestor or Attestation.
                              type: string
                          type: object
                        message:
                          description: Message specifies a custom message to be displayed
                            on failure.
                          type: string
                        pattern:
                          description: Pattern specifies an overlay-style pattern
                            used to check resources.
                          x-kubernetes-preserve-unknown-fields: true
                        podSecurity:
                          description: PodSecurity applies exemptions for Kubernetes
                            Pod Security admission by specifying exclusions for Pod
                            Security Standards controls.
                          properties:
                            exclude:
                              description: Exclude specifies the Pod Security Standard
                                controls to be excluded.
                              items:
                                description: PodSecurityStandard specifies the Pod
                                  Security Standard controls to be excluded.
                                properties:
                                  controlName:
                                    description: 'ControlName specifies the name of
                                      the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
                                    enum:
                                    - HostProcess
                                    - Host Namespaces
                                    - Privileged Containers
                                    - Capabilities
                                    - HostPath Volumes
                                    - Host Ports
                                    - AppArmor
                                    - SELinux
                                    - /proc Mount Type
                                    - Seccomp
                                    - Sysctls
                                    - Volume Types
                                    - Privilege Escalation
                                    - Running as Non-root
                                    - Running as Non-root user
                                    type: string
                                  images:
                                    description: 'Images selects matching containers
                                      and applies the container level PSS. Each image
                                      is the image name consisting of the registry
                                      address, repository, image, and tag. Empty list
                                      matches no containers, PSS checks are applied
                                      at the pod level only. Wildcards (''*'' and
                                      ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
                                    items:
                                      type: string
                                    type: array
                                required:
                                - controlName
                                type: object
                              type: array
                            level:
                              description: Level defines the Pod Security Standard
                                level to be applied to workloads. Allowed values are
                                privileged, baseline, and restricted.
                              enum:
                              - privileged
                              - baseline
                              - restricted
                              type: string
                            version:
                              description: Version defines the Pod Security Standard
                                versions that Kubernetes supports. Allowed values
                                are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
                                v1.26, latest. Defaults to latest.
                              enum:
                              - v1.19
                              - v1.20
                              - v1.21
                              - v1.22
                              - v1.23
                              - v1.24
                              - v1.25
                              - v1.26
                              - latest
                              type: string
                          type: object
                      type: object
                    verifyImages:
                      description: VerifyImages is used to verify image signatures
                        and mutate them to add a digest
                      items:
                        description: ImageVerification validates that images that
                          match the specified pattern are signed with the supplied
                          public key. Once the image is verified it is mutated to
                          include the SHA digest retrieved during the registration.
                        properties:
                          additionalExtensions:
                            additionalProperties:
                              type: string
                            description: AdditionalExtensions are certificate-extensions
                              used for keyless signing. Deprecated.
                            type: object
                          annotations:
                            additionalProperties:
                              type: string
                            description: Annotations are used for image verification.
                              Every specified key-value pair must exist and match
                              in the verified payload. The payload may contain other
                              key-value pairs. Deprecated. Use annotations per Attestor
                              instead.
                            type: object
                          attestations:
                            description: Attestations are optional checks for signed
                              in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
                              Kyverno fetches signed attestations from the OCI registry
                              and decodes them into a list of Statement declarations.
                            items:
                              description: Attestation are checks for signed in-toto
                                Statements that are used to verify the image. See
                                https://github.com/in-toto/attestation. Kyverno fetches
                                signed attestations from the OCI registry and decodes
                                them into a list of Statements.
                              properties:
                                attestors:
                                  description: Attestors specify the required attestors
                                    (i.e. authorities)
                                  items:
                                    properties:
                                      count:
                                        description: Count specifies the required
                                          number of entries that must match. If the
                                          count is null, all entries must match (a
                                          logical AND). If the count is 1, at least
                                          one entry must match (a logical OR). If
                                          the count contains a value N, then N must
                                          be less than or equal to the size of entries,
                                          and at least N entries must match.
                                        minimum: 1
                                        type: integer
                                      entries:
                                        description: Entries contains the available
                                          attestors. An attestor can be a static key,
                                          attributes for keyless verification, or
                                          a nested attestor declaration.
                                        items:
                                          properties:
                                            annotations:
                                              additionalProperties:
                                                type: string
                                              description: Annotations are used for
                                                image verification. Every specified
                                                key-value pair must exist and match
                                                in the verified payload. The payload
                                                may contain other key-value pairs.
                                              type: object
                                            attestor:
                                              description: Attestor is a nested AttestorSet
                                                used to specify a more complex set
                                                of match authorities
                                              x-kubernetes-preserve-unknown-fields: true
                                            certificates:
                                              description: Certificates specifies
                                                one or more certificates
                                              properties:
                                                cert:
                                                  description: Certificate is an optional
                                                    PEM encoded public certificate.
                                                  type: string
                                                certChain:
                                                  description: CertificateChain is
                                                    an optional PEM encoded set of
                                                    certificates used to verify
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    Rekor is not checked. If an empty
                                                    object is provided the public
                                                    instance of Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                              type: object
                                            keyless:
                                              description: Keyless is a set of attribute
                                                used to verify a Sigstore keyless
                                                attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                              properties:
                                                additionalExtensions:
                                                  additionalProperties:
                                                    type: string
                                                  description: AdditionalExtensions
                                                    are certificate-extensions used
                                                    for keyless signing.
                                                  type: object
                                                issuer:
                                                  description: Issuer is the certificate
                                                    issuer used for keyless signing.
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    Rekor is not checked and a root
                                                    certificate chain is expected
                                                    instead. If an empty object is
                                                    provided the public instance of
                                                    Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                                roots:
                                                  description: Roots is an optional
                                                    set of PEM encoded trusted root
                                                    certificates. If not provided,
                                                    the system roots are used.
                                                  type: string
                                                subject:
                                                  description: Subject is the verified
                                                    identity used for keyless signing,
                                                    for example the email address
                                                  type: string
                                              type: object
                                            keys:
                                              description: Keys specifies one or more
                                                public keys
                                              properties:
                                                kms:
                                                  description: 'KMS provides the URI
                                                    to the public key stored in a
                                                    Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                                  type: string
                                                publicKeys:
                                                  description: Keys is a set of X.509
                                                    public keys used to verify image
                                                    signatures. The keys can be directly
                                                    specified or can be a variable
                                                    reference to a key specified in
                                                    a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
                                                    or reference a standard Kubernetes
                                                    Secret elsewhere in the cluster
                                                    by specifying it in the format
                                                    "k8s://<namespace>/<secret_name>".
                                                    The named Secret must specify
                                                    a key `cosign.pub` containing
                                                    the public key used for verification,
                                                    (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                    When multiple keys are specified
                                                    each key is processed as a separate
                                                    staticKey entry (.attestors[*].entries.keys)
                                                    within the set of attestors and
                                                    the count is applied across the
                                                    keys.
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    or an empty object is provided,
                                                    the public instance of Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                                secret:
                                                  description: Reference to a Secret
                                                    resource that contains a public
                                                    key
                                                  properties:
                                                    name:
                                                      description: Name of the secret.
                                                        The provided secret must contain
                                                        a key named cosign.pub.
                                                      type: string
                                                    namespace:
                                                      description: Namespace name
                                                        where the Secret exists.
                                                      type: string
                                                  required:
                                                  - name
                                                  - namespace
                                                  type: object
                                                signatureAlgorithm:
                                                  default: sha256
                                                  description: Specify signature algorithm
                                                    for public keys. Supported values
                                                    are sha256 and sha512
                                                  type: string
                                              type: object
                                            repository:
                                              description: Repository is an optional
                                                alternate OCI repository to use for
                                                signatures and attestations that match
                                                this rule. If specified Repository
                                                will override other OCI image repository
                                                locations for this Attestor.
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                conditions:
                                  description: Conditions are used to verify attributes
                                    within a Predicate. If no Conditions are specified
                                    the attestation check is satisfied as long there
                                    are predicates that match the predicate type.
                                  items:
                                    description: AnyAllConditions consists of conditions
                                      wrapped denoting a logical criteria to be fulfilled.
                                      AnyConditions get fulfilled when at least one
                                      of its sub-conditions passes. AllConditions
                                      get fulfilled only when all of its sub-conditions
                                      pass.
                                    properties:
                                      all:
                                        description: AllConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, all of the conditions
                                          need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: AnyConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, at least one of
                                          the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                predicateType:
                                  description: PredicateType defines the type of Predicate
                                    contained within the Statement. Deprecated in
                                    favour of 'Type', to be removed soon
                                  type: string
                                type:
                                  description: Type defines the type of attestation
                                    contained within the Statement.
                                  type: string
                              type: object
                            type: array
                          attestors:
                            description: Attestors specified the required attestors
                              (i.e. authorities)
                            items:
                              properties:
                                count:
                                  description: Count specifies the required number
                                    of entries that must match. If the count is null,
                                    all entries must match (a logical AND). If the
                                    count is 1, at least one entry must match (a logical
                                    OR). If the count contains a value N, then N must
                                    be less than or equal to the size of entries,
                                    and at least N entries must match.
                                  minimum: 1
                                  type: integer
                                entries:
                                  description: Entries contains the available attestors.
                                    An attestor can be a static key, attributes for
                                    keyless verification, or a nested attestor declaration.
                                  items:
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: Annotations are used for image
                                          verification. Every specified key-value
                                          pair must exist and match in the verified
                                          payload. The payload may contain other key-value
                                          pairs.
                                        type: object
                                      attestor:
                                        description: Attestor is a nested AttestorSet
                                          used to specify a more complex set of match
                                          authorities
                                        x-kubernetes-preserve-unknown-fields: true
                                      certificates:
                                        description: Certificates specifies one or
                                          more certificates
                                        properties:
                                          cert:
                                            description: Certificate is an optional
                                              PEM encoded public certificate.
                                            type: string
                                          certChain:
                                            description: CertificateChain is an optional
                                              PEM encoded set of certificates used
                                              to verify
                                            type: string
                                          rekor:
                                            description: Rekor provides configuration
                                              for the Rekor transparency log service.
                                              If the value is nil, Rekor is not checked.
                                              If an empty object is provided the public
                                              instance of Rekor (https://rekor.sigstore.dev)
                                              is used.
                                            properties:
                                              ignoreSCT:
                                                description: IgnoreSCT requires that
                                                  a certificate contain an embedded
                                                  SCT during verification. An SCT
                                                  is proof of inclusion in a certificate
                                                  transparency log.
                                                type: boolean
                                              ignoreTlog:
                                                description: IgnoreTlog skip tlog
                                                  verification
                                                type: boolean
                                              pubkey:
                                                description: RekorPubKey is an optional
                                                  PEM encoded public key to use for
                                                  a custom Rekor. If set, is used
                                                  to validate signatures on log entries
                                                  from Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public log https://rekor.sigstore.dev.
                                                type: string
                                            required:
                                            - url
                                            type: object
                                        type: object
                                      keyless:
                                        description: Keyless is a set of attribute
                                          used to verify a Sigstore keyless attestor.
                                          See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                        properties:
                                          additionalExtensions:
                                            additionalProperties:
                                              type: string
                                            description: AdditionalExtensions are
                                              certificate-extensions used for keyless
                                              signing.
                                            type: object
                                          issuer:
                                            description: Issuer is the certificate
                                              issuer used for keyless signing.
                                            type: string
                                          rekor:
                                            description: Rekor provides configuration
                                              for the Rekor transparency log service.
                                              If the value is nil, Rekor is not checked
                                              and a root certificate chain is expected
                                              instead. If an empty object is provided
                                              the public instance of Rekor (https://rekor.sigstore.dev)
                                              is used.
                                            properties:
                                              ignoreSCT:
                                                description: IgnoreSCT requires that
                                                  a certificate contain an embedded
                                                  SCT during verification. An SCT
                                                  is proof of inclusion in a certificate
                                                  transparency log.
                                                type: boolean
                                              ignoreTlog:
                                                description: IgnoreTlog skip tlog
                                                  verification
                                                type: boolean
                                              pubkey:
                                                description: RekorPubKey is an optional
                                                  PEM encoded public key to use for
                                                  a custom Rekor. If set, is used
                                                  to validate signatures on log entries
                                                  from Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public log https://rekor.sigstore.dev.
                                                type: string
                                            required:
                                            - url
                                            type: object
                                          roots:
                                            description: Roots is an optional set
                                              of PEM encoded trusted root certificates.
                                              If not provided, the system roots are
                                              used.
                                            type: string
                                          subject:
                                            description: Subject is the verified identity
                                              used for keyless signing, for example
                                              the email address
                                            type: string
                                        type: object
                                      keys:
                                        description: Keys specifies one or more public
                                          keys
                                        properties:
                                          kms:
                                            description: 'KMS provides the URI to
                                              the public key stored in a Key Management
                                              System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                            type: string
                                          publicKeys:
                                            description: Keys is a set of X.509 public
                                              keys used to verify image signatures.
                                              The keys can be directly specified or
                                              can be a variable reference to a key
                                              specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
                                              or reference a standard Kubernetes Secret
                                              elsewhere in the cluster by specifying
                                              it in the format "k8s://<namespace>/<secret_name>".
                                              The named Secret must specify a key
                                              `cosign.pub` containing the public key
                                              used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                              When multiple keys are specified each
                                              key is processed as a separate staticKey
                                              entry (.attestors[*].entries.keys) within
                                              the set of attestors and the count is
                                              applied across the keys.
                                            type: string
                                          rekor:
                                            description: Rekor provides configuration
                                              for the Rekor transparency log service.
                                              If the value is nil, or an empty object
                                              is provided, the public instance of
                                              Rekor (https://rekor.sigstore.dev) is
                                              used.
                                            properties:
                                              ignoreSCT:
                                                description: IgnoreSCT requires that
                                                  a certificate contain an embedded
                                                  SCT during verification. An SCT
                                                  is proof of inclusion in a certificate
                                                  transparency log.
                                                type: boolean
                                              ignoreTlog:
                                                description: IgnoreTlog skip tlog
                                                  verification
                                                type: boolean
                                              pubkey:
                                                description: RekorPubKey is an optional
                                                  PEM encoded public key to use for
                                                  a custom Rekor. If set, is used
                                                  to validate signatures on log entries
                                                  from Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public log https://rekor.sigstore.dev.
                                                type: string
                                            required:
                                            - url
                                            type: object
                                          secret:
                                            description: Reference to a Secret resource
                                              that contains a public key
                                            properties:
                                              name:
                                                description: Name of the secret. The
                                                  provided secret must contain a key
                                                  named cosign.pub.
                                                type: string
                                              namespace:
                                                description: Namespace name where
                                                  the Secret exists.
                                                type: string
                                            required:
                                            - name
                                            - namespace
                                            type: object
                                          signatureAlgorithm:
                                            default: sha256
                                            description: Specify signature algorithm
                                              for public keys. Supported values are
                                              sha256 and sha512
                                            type: string
                                        type: object
                                      repository:
                                        description: Repository is an optional alternate
                                          OCI repository to use for signatures and
                                          attestations that match this rule. If specified
                                          Repository will override other OCI image
                                          repository locations for this Attestor.
                                        type: string
                                    type: object
                                  type: array
                              type: object
                            type: array
                          image:
                            description: 'Image is the image name consisting of the
                              registry address, repository, image, and tag. Wildcards
                              (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                              Deprecated. Use ImageReferences instead.'
                            type: string
                          imageReferences:
                            description: 'ImageReferences is a list of matching image
                              reference patterns. At least one pattern in the list
                              must match the image for the rule to apply. Each image
                              reference consists of a registry address (defaults to
                              docker.io), repository, image, and tag (defaults to
                              latest). Wildcards (''*'' and ''?'') are allowed. See:
                              https://kubernetes.io/docs/concepts/containers/images.'
                            items:
                              type: string
                            type: array
                          imageRegistryCredentials:
                            description: ImageRegistryCredentials provides credentials
                              that will be used for authentication with registry
                            properties:
                              allowInsecureRegistry:
                                description: AllowInsecureRegistry allows insecure
                                  access to a registry
                                type: boolean
                              providers:
                                description: 'Providers specifies a list of OCI Registry
                                  names, whose authentication providers are provided
                                  It can be of one of these values: AWS, ACR, GCP,
                                  GHCR'
                                items:
                                  description: ImageRegistryCredentialsProvidersType
                                    provides the list of credential providers required.
                                  enum:
                                  - default
                                  - amazon
                                  - azure
                                  - google
                                  - github
                                  type: string
                                type: array
                              secrets:
                                description: Secrets specifies a list of secrets that
                                  are provided for credentials Secrets must live in
                                  the Kyverno namespace
                                items:
                                  type: string
                                type: array
                            type: object
                          issuer:
                            description: Issuer is the certificate issuer used for
                              keyless signing. Deprecated. Use KeylessAttestor instead.
                            type: string
                          key:
                            description: Key is the PEM encoded public key that the
                              image or attestation is signed with. Deprecated. Use
                              StaticKeyAttestor instead.
                            type: string
                          mutateDigest:
                            default: true
                            description: MutateDigest enables replacement of image
                              tags with digests. Defaults to true.
                            type: boolean
                          repository:
                            description: Repository is an optional alternate OCI repository
                              to use for image signatures and attestations that match
                              this rule. If specified Repository will override the
                              default OCI image repository configured for the installation.
                              The repository can also be overridden per Attestor or
                              Attestation.
                            type: string
                          required:
                            default: true
                            description: Required validates that images are verified
                              i.e. have matched passed a signature or attestation
                              check.
                            type: boolean
                          roots:
                            description: Roots is the PEM encoded Root certificate
                              chain used for keyless signing Deprecated. Use KeylessAttestor
                              instead.
                            type: string
                          subject:
                            description: Subject is the identity used for keyless
                              signing, for example an email address Deprecated. Use
                              KeylessAttestor instead.
                            type: string
                          type:
                            description: Type specifies the method of signature validation.
                              The allowed options are Cosign and Notary. By default
                              Cosign is used if a type is not specified.
                            enum:
                            - Cosign
                            - Notary
                            type: string
                          useCache:
                            default: true
                            description: UseCache enables caching of image verify
                              responses for this rule
                            type: boolean
                          verifyDigest:
                            default: true
                            description: VerifyDigest validates that images have a
                              digest.
                            type: boolean
                        type: object
                      type: array
                  required:
                  - name
                  type: object
                type: array
              schemaValidation:
                description: SchemaValidation skips validation checks for policies
                  as well as patched resources. Optional. The default value is set
                  to "true", it must be set to "false" to disable the validation checks.
                type: boolean
              useServerSideApply:
                description: UseServerSideApply controls whether to use server-side
                  apply for generate rules If is set to "true" create & update for
                  generate rules will use apply instead of create/update. Defaults
                  to "false" if not specified.
                type: boolean
              validationFailureAction:
                default: Audit
                description: ValidationFailureAction defines if a validation policy
                  rule violation should block the admission review request (enforce),
                  or allow (audit) the admission review request and report an error
                  in a policy report. Optional. Allowed values are audit or enforce.
                  The default value is "Audit".
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: ValidationFailureActionOverrides is a Cluster Policy
                  attribute that specifies ValidationFailureAction namespace-wise.
                  It overrides ValidationFailureAction for the specified namespaces.
                items:
                  properties:
                    action:
                      description: ValidationFailureAction defines the policy validation
                        failure action
                      enum:
                      - audit
                      - enforce
                      - Audit
                      - Enforce
                      type: string
                    namespaceSelector:
                      description: A label selector is a label query over a set of
                        resources. The result of matchLabels and matchExpressions
                        are ANDed. An empty label selector matches all objects. A
                        null label selector matches no objects.
                      properties:
                        matchExpressions:
                          description: matchExpressions is a list of label selector
                            requirements. The requirements are ANDed.
                          items:
                            description: A label selector requirement is a selector
                              that contains values, a key, and an operator that relates
                              the key and values.
                            properties:
                              key:
                                description: key is the label key that the selector
                                  applies to.
                                type: string
                              operator:
                                description: operator represents a key's relationship
                                  to a set of values. Valid operators are In, NotIn,
                                  Exists and DoesNotExist.
                                type: string
                              values:
                                description: values is an array of string values.
                                  If the operator is In or NotIn, the values array
                                  must be non-empty. If the operator is Exists or
                                  DoesNotExist, the values array must be empty. This
                                  array is replaced during a strategic merge patch.
                                items:
                                  type: string
                                type: array
                            required:
                            - key
                            - operator
                            type: object
                          type: array
                        matchLabels:
                          additionalProperties:
                            type: string
                          description: matchLabels is a map of {key,value} pairs.
                            A single {key,value} in the matchLabels map is equivalent
                            to an element of matchExpressions, whose key field is
                            "key", the operator is "In", and the values array contains
                            only "value". The requirements are ANDed.
                          type: object
                      type: object
                      x-kubernetes-map-type: atomic
                    namespaces:
                      items:
                        type: string
                      type: array
                  type: object
                type: array
              webhookTimeoutSeconds:
                description: WebhookTimeoutSeconds specifies the maximum time in seconds
                  allowed to apply this policy. After the configured time expires,
                  the admission request may fail, or may simply ignore the policy
                  results, based on the failure policy. The default timeout is 10s,
                  the value must be between 1 and 30 seconds.
                format: int32
                type: integer
            type: object
          status:
            description: Status contains policy runtime information. Deprecated. Policy
              metrics are available via the metrics endpoint
            properties:
              autogen:
                description: Autogen contains autogen status information
                properties:
                  rules:
                    description: Rules is a list of Rule instances. It contains auto
                      generated rules added for pod controllers
                    items:
                      description: Rule defines a validation, mutation, or generation
                        control for matching resources. Each rules contains a match
                        declaration to select resources, and an optional exclude declaration
                        to specify which resources to exclude.
                      properties:
                        celPreconditions:
                          description: CELPreconditions are used to determine if a
                            policy rule should be applied by evaluating a set of CEL
                            conditions. It can only be used with the validate.cel
                            subrule
                          items:
                            description: MatchCondition represents a condition which
                              must by fulfilled for a request to be sent to a webhook.
                            properties:
                              expression:
                                description: "Expression represents the expression
                                  which will be evaluated by CEL. Must evaluate to
                                  bool. CEL expressions have access to the contents
                                  of the AdmissionRequest and Authorizer, organized
                                  into CEL variables: \n 'object' - The object from
                                  the incoming request. The value is null for DELETE
                                  requests. 'oldObject' - The existing object. The
                                  value is null for CREATE requests. 'request' - Attributes
                                  of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
                                  'authorizer' - A CEL Authorizer. May be used to
                                  perform authorization checks for the principal (user
                                  or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                                  'authorizer.requestResource' - A CEL ResourceCheck
                                  constructed from the 'authorizer' and configured
                                  with the request resource. Documentation on CEL:
                                  https://kubernetes.io/docs/reference/using-api/cel/
                                  \n Required."
                                type: string
                              name:
                                description: "Name is an identifier for this match
                                  condition, used for strategic merging of MatchConditions,
                                  as well as providing an identifier for logging purposes.
                                  A good name should be descriptive of the associated
                                  expression. Name must be a qualified name consisting
                                  of alphanumeric characters, '-', '_' or '.', and
                                  must start and end with an alphanumeric character
                                  (e.g. 'MyName',  or 'my.name',  or '123-abc', regex
                                  used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
                                  with an optional DNS subdomain prefix and '/' (e.g.
                                  'example.com/MyName') \n Required."
                                type: string
                            required:
                            - expression
                            - name
                            type: object
                          type: array
                        context:
                          description: Context defines variables and data sources
                            that can be used during rule execution.
                          items:
                            description: ContextEntry adds variables and data sources
                              to a rule Context. Either a ConfigMap reference or a
                              APILookup must be provided.
                            properties:
                              apiCall:
                                description: APICall is an HTTP request to the Kubernetes
                                  API server, or other JSON web service. The data
                                  returned is stored in the context with the name
                                  for the context entry.
                                properties:
                                  data:
                                    description: Data specifies the POST data sent
                                      to the server.
                                    items:
                                      description: RequestData contains the HTTP POST
                                        data
                                      properties:
                                        key:
                                          description: Key is a unique identifier
                                            for the data value
                                          type: string
                                        value:
                                          description: Value is the data value
                                          x-kubernetes-preserve-unknown-fields: true
                                      required:
                                      - key
                                      - value
                                      type: object
                                    type: array
                                  jmesPath:
                                    description: JMESPath is an optional JSON Match
                                      Expression that can be used to transform the
                                      JSON response returned from the server. For
                                      example a JMESPath of "items | length(@)" applied
                                      to the API server response for the URLPath "/apis/apps/v1/deployments"
                                      will return the total count of deployments across
                                      all namespaces.
                                    type: string
                                  method:
                                    default: GET
                                    description: Method is the HTTP request type (GET
                                      or POST).
                                    enum:
                                    - GET
                                    - POST
                                    type: string
                                  service:
                                    description: Service is an API call to a JSON
                                      web service
                                    properties:
                                      caBundle:
                                        description: CABundle is a PEM encoded CA
                                          bundle which will be used to validate the
                                          server certificate.
                                        type: string
                                      url:
                                        description: URL is the JSON web service URL.
                                          A typical form is `https://{service}.{namespace}:{port}/{path}`.
                                        type: string
                                    required:
                                    - url
                                    type: object
                                  urlPath:
                                    description: URLPath is the URL path to be used
                                      in the HTTP GET or POST request to the Kubernetes
                                      API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                      The format required is the same format used
                                      by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                      for details.
                                    type: string
                                type: object
                              configMap:
                                description: ConfigMap is the ConfigMap reference.
                                properties:
                                  name:
                                    description: Name is the ConfigMap name.
                                    type: string
                                  namespace:
                                    description: Namespace is the ConfigMap namespace.
                                    type: string
                                required:
                                - name
                                type: object
                              imageRegistry:
                                description: ImageRegistry defines requests to an
                                  OCI/Docker V2 registry to fetch image details.
                                properties:
                                  imageRegistryCredentials:
                                    description: ImageRegistryCredentials provides
                                      credentials that will be used for authentication
                                      with registry
                                    properties:
                                      allowInsecureRegistry:
                                        description: AllowInsecureRegistry allows
                                          insecure access to a registry
                                        type: boolean
                                      providers:
                                        description: 'Providers specifies a list of
                                          OCI Registry names, whose authentication
                                          providers are provided It can be of one
                                          of these values: AWS, ACR, GCP, GHCR'
                                        items:
                                          description: ImageRegistryCredentialsProvidersType
                                            provides the list of credential providers
                                            required.
                                          enum:
                                          - default
                                          - amazon
                                          - azure
                                          - google
                                          - github
                                          type: string
                                        type: array
                                      secrets:
                                        description: Secrets specifies a list of secrets
                                          that are provided for credentials Secrets
                                          must live in the Kyverno namespace
                                        items:
                                          type: string
                                        type: array
                                    type: object
                                  jmesPath:
                                    description: JMESPath is an optional JSON Match
                                      Expression that can be used to transform the
                                      ImageData struct returned as a result of processing
                                      the image reference.
                                    type: string
                                  reference:
                                    description: 'Reference is image reference to
                                      a container image in the registry. Example:
                                      ghcr.io/kyverno/kyverno:latest'
                                    type: string
                                required:
                                - reference
                                type: object
                              name:
                                description: Name is the variable name.
                                type: string
                              variable:
                                description: Variable defines an arbitrary JMESPath
                                  context variable that can be defined inline.
                                properties:
                                  default:
                                    description: Default is an optional arbitrary
                                      JSON object that the variable may take if the
                                      JMESPath expression evaluates to nil
                                    x-kubernetes-preserve-unknown-fields: true
                                  jmesPath:
                                    description: JMESPath is an optional JMESPath
                                      Expression that can be used to transform the
                                      variable.
                                    type: string
                                  value:
                                    description: Value is any arbitrary JSON object
                                      representable in YAML or JSON form.
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                            type: object
                          type: array
                        exclude:
                          description: ExcludeResources defines when this policy rule
                            should not be applied. The exclude criteria can include
                            resource information (e.g. kind, name, namespace, labels)
                            and admission review request information like the name
                            or role.
                          properties:
                            all:
                              description: All allows specifying resources which will
                                be ANDed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: Annotations is a  map of annotations
                                          (key-value pairs of type string). Annotation
                                          keys and values support the wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: 'Name is the name of the resource.
                                          The name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character). NOTE: "Name" is
                                          being deprecated in favor of "Names".'
                                        type: string
                                      names:
                                        description: Names are the names of the resources.
                                          Each name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: 'NamespaceSelector is a label
                                          selector for the resource namespace. Label
                                          keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character).Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: Namespaces is a list of namespaces
                                          names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: 'Selector is a label selector.
                                          Label keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character). Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: Subject contains a reference to
                                        the object or user identities a role binding
                                        applies to.  This can either hold a direct
                                        API object reference, or a value for non-objects
                                        such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: APIGroup holds the API group
                                            of the referenced subject. Defaults to
                                            "" for ServiceAccount subjects. Defaults
                                            to "rbac.authorization.k8s.io" for User
                                            and Group subjects.
                                          type: string
                                        kind:
                                          description: Kind of object being referenced.
                                            Values defined by this API group are "User",
                                            "Group", and "ServiceAccount". If the
                                            Authorizer does not recognized the kind
                                            value, the Authorizer should report an
                                            error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: Namespace of the referenced
                                            object.  If the object kind is non-namespace,
                                            such as "User" or "Group", and this value
                                            is not empty the Authorizer should report
                                            an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            any:
                              description: Any allows specifying resources which will
                                be ORed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: Annotations is a  map of annotations
                                          (key-value pairs of type string). Annotation
                                          keys and values support the wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: 'Name is the name of the resource.
                                          The name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character). NOTE: "Name" is
                                          being deprecated in favor of "Names".'
                                        type: string
                                      names:
                                        description: Names are the names of the resources.
                                          Each name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: 'NamespaceSelector is a label
                                          selector for the resource namespace. Label
                                          keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character).Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: Namespaces is a list of namespaces
                                          names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: 'Selector is a label selector.
                                          Label keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character). Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: Subject contains a reference to
                                        the object or user identities a role binding
                                        applies to.  This can either hold a direct
                                        API object reference, or a value for non-objects
                                        such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: APIGroup holds the API group
                                            of the referenced subject. Defaults to
                                            "" for ServiceAccount subjects. Defaults
                                            to "rbac.authorization.k8s.io" for User
                                            and Group subjects.
                                          type: string
                                        kind:
                                          description: Kind of object being referenced.
                                            Values defined by this API group are "User",
                                            "Group", and "ServiceAccount". If the
                                            Authorizer does not recognized the kind
                                            value, the Authorizer should report an
                                            error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: Namespace of the referenced
                                            object.  If the object kind is non-namespace,
                                            such as "User" or "Group", and this value
                                            is not empty the Authorizer should report
                                            an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            clusterRoles:
                              description: ClusterRoles is the list of cluster-wide
                                role names for the user.
                              items:
                                type: string
                              type: array
                            resources:
                              description: ResourceDescription contains information
                                about the resource being created or modified. Requires
                                at least one tag to be specified when under MatchResources.
                                Specifying ResourceDescription directly under match
                                is being deprecated. Please specify under "any" or
                                "all" instead.
                              properties:
                                annotations:
                                  additionalProperties:
                                    type: string
                                  description: Annotations is a  map of annotations
                                    (key-value pairs of type string). Annotation keys
                                    and values support the wildcard characters "*"
                                    (matches zero or many characters) and "?" (matches
                                    at least one character).
                                  type: object
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                name:
                                  description: 'Name is the name of the resource.
                                    The name supports wildcard characters "*" (matches
                                    zero or many characters) and "?" (at least one
                                    character). NOTE: "Name" is being deprecated in
                                    favor of "Names".'
                                  type: string
                                names:
                                  description: Names are the names of the resources.
                                    Each name supports wildcard characters "*" (matches
                                    zero or many characters) and "?" (at least one
                                    character).
                                  items:
                                    type: string
                                  type: array
                                namespaceSelector:
                                  description: 'NamespaceSelector is a label selector
                                    for the resource namespace. Label keys and values
                                    in `matchLabels` support the wildcard characters
                                    `*` (matches zero or many characters) and `?`
                                    (matches one character).Wildcards allows writing
                                    label selectors like ["storage.k8s.io/*": "*"].
                                    Note that using ["*" : "*"] matches any key and
                                    value but does not match an empty label set.'
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: A label selector requirement
                                          is a selector that contains values, a key,
                                          and an operator that relates the key and
                                          values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: operator represents a key's
                                              relationship to a set of values. Valid
                                              operators are In, NotIn, Exists and
                                              DoesNotExist.
                                            type: string
                                          values:
                                            description: values is an array of string
                                              values. If the operator is In or NotIn,
                                              the values array must be non-empty.
                                              If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This
                                              array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: matchLabels is a map of {key,value}
                                        pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions,
                                        whose key field is "key", the operator is
                                        "In", and the values array contains only "value".
                                        The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                                namespaces:
                                  description: Namespaces is a list of namespaces
                                    names. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?"
                                    (at least one character).
                                  items:
                                    type: string
                                  type: array
                                operations:
                                  description: Operations can contain values ["CREATE,
                                    "UPDATE", "CONNECT", "DELETE"], which are used
                                    to match a specific action.
                                  items:
                                    description: AdmissionOperation can have one of
                                      the values CREATE, UPDATE, CONNECT, DELETE,
                                      which are used to match a specific action.
                                    enum:
                                    - CREATE
                                    - CONNECT
                                    - UPDATE
                                    - DELETE
                                    type: string
                                  type: array
                                selector:
                                  description: 'Selector is a label selector. Label
                                    keys and values in `matchLabels` support the wildcard
                                    characters `*` (matches zero or many characters)
                                    and `?` (matches one character). Wildcards allows
                                    writing label selectors like ["storage.k8s.io/*":
                                    "*"]. Note that using ["*" : "*"] matches any
                                    key and value but does not match an empty label
                                    set.'
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: A label selector requirement
                                          is a selector that contains values, a key,
                                          and an operator that relates the key and
                                          values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: operator represents a key's
                                              relationship to a set of values. Valid
                                              operators are In, NotIn, Exists and
                                              DoesNotExist.
                                            type: string
                                          values:
                                            description: values is an array of string
                                              values. If the operator is In or NotIn,
                                              the values array must be non-empty.
                                              If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This
                                              array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: matchLabels is a map of {key,value}
                                        pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions,
                                        whose key field is "key", the operator is
                                        "In", and the values array contains only "value".
                                        The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            roles:
                              description: Roles is the list of namespaced role names
                                for the user.
                              items:
                                type: string
                              type: array
                            subjects:
                              description: Subjects is the list of subject names like
                                users, user groups, and service accounts.
                              items:
                                description: Subject contains a reference to the object
                                  or user identities a role binding applies to.  This
                                  can either hold a direct API object reference, or
                                  a value for non-objects such as user and group names.
                                properties:
                                  apiGroup:
                                    description: APIGroup holds the API group of the
                                      referenced subject. Defaults to "" for ServiceAccount
                                      subjects. Defaults to "rbac.authorization.k8s.io"
                                      for User and Group subjects.
                                    type: string
                                  kind:
                                    description: Kind of object being referenced.
                                      Values defined by this API group are "User",
                                      "Group", and "ServiceAccount". If the Authorizer
                                      does not recognized the kind value, the Authorizer
                                      should report an error.
                                    type: string
                                  name:
                                    description: Name of the object being referenced.
                                    type: string
                                  namespace:
                                    description: Namespace of the referenced object.  If
                                      the object kind is non-namespace, such as "User"
                                      or "Group", and this value is not empty the
                                      Authorizer should report an error.
                                    type: string
                                required:
                                - kind
                                - name
                                type: object
                                x-kubernetes-map-type: atomic
                              type: array
                          type: object
                        generate:
                          description: Generation is used to create new resources.
                          properties:
                            apiVersion:
                              description: APIVersion specifies resource apiVersion.
                              type: string
                            clone:
                              description: Clone specifies the source resource used
                                to populate each generated resource. At most one of
                                Data or Clone can be specified. If neither are provided,
                                the generated resource will be created with default
                                data only.
                              properties:
                                name:
                                  description: Name specifies name of the resource.
                                  type: string
                                namespace:
                                  description: Namespace specifies source resource
                                    namespace.
                                  type: string
                              type: object
                            cloneList:
                              description: CloneList specifies the list of source
                                resource used to populate each generated resource.
                              properties:
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                namespace:
                                  description: Namespace specifies source resource
                                    namespace.
                                  type: string
                                selector:
                                  description: Selector is a label selector. Label
                                    keys and values in `matchLabels`. wildcard characters
                                    are not supported.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: A label selector requirement
                                          is a selector that contains values, a key,
                                          and an operator that relates the key and
                                          values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: operator represents a key's
                                              relationship to a set of values. Valid
                                              operators are In, NotIn, Exists and
                                              DoesNotExist.
                                            type: string
                                          values:
                                            description: values is an array of string
                                              values. If the operator is In or NotIn,
                                              the values array must be non-empty.
                                              If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This
                                              array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: matchLabels is a map of {key,value}
                                        pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions,
                                        whose key field is "key", the operator is
                                        "In", and the values array contains only "value".
                                        The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            data:
                              description: Data provides the resource declaration
                                used to populate each generated resource. At most
                                one of Data or Clone must be specified. If neither
                                are provided, the generated resource will be created
                                with default data only.
                              x-kubernetes-preserve-unknown-fields: true
                            kind:
                              description: Kind specifies resource kind.
                              type: string
                            name:
                              description: Name specifies the resource name.
                              type: string
                            namespace:
                              description: Namespace specifies resource namespace.
                              type: string
                            synchronize:
                              description: Synchronize controls if generated resources
                                should be kept in-sync with their source resource.
                                If Synchronize is set to "true" changes to generated
                                resources will be overwritten with resource data from
                                Data or the resource specified in the Clone declaration.
                                Optional. Defaults to "false" if not specified.
                              type: boolean
                          type: object
                        imageExtractors:
                          additionalProperties:
                            items:
                              properties:
                                jmesPath:
                                  description: 'JMESPath is an optional JMESPath expression
                                    to apply to the image value. This is useful when
                                    the extracted image begins with a prefix like
                                    ''docker://''. The ''trim_prefix'' function may
                                    be used to trim the prefix: trim_prefix(@, ''docker://'').
                                    Note - Image digest mutation may not be used when
                                    applying a JMESPAth to an image.'
                                  type: string
                                key:
                                  description: Key is an optional name of the field
                                    within 'path' that will be used to uniquely identify
                                    an image. Note - this field MUST be unique.
                                  type: string
                                name:
                                  description: Name is the entry the image will be
                                    available under 'images.<name>' in the context.
                                    If this field is not defined, image entries will
                                    appear under 'images.custom'.
                                  type: string
                                path:
                                  description: Path is the path to the object containing
                                    the image field in a custom resource. It should
                                    be slash-separated. Each slash-separated key must
                                    be a valid YAML key or a wildcard '*'. Wildcard
                                    keys are expanded in case of arrays or objects.
                                  type: string
                                value:
                                  description: Value is an optional name of the field
                                    within 'path' that points to the image URI. This
                                    is useful when a custom 'key' is also defined.
                                  type: string
                              required:
                              - path
                              type: object
                            type: array
                          description: ImageExtractors defines a mapping from kinds
                            to ImageExtractorConfigs. This config is only valid for
                            verifyImages rules.
                          type: object
                        match:
                          description: MatchResources defines when this policy rule
                            should be applied. The match criteria can include resource
                            information (e.g. kind, name, namespace, labels) and admission
                            review request information like the user name or role.
                            At least one kind is required.
                          properties:
                            all:
                              description: All allows specifying resources which will
                                be ANDed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: Annotations is a  map of annotations
                                          (key-value pairs of type string). Annotation
                                          keys and values support the wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: 'Name is the name of the resource.
                                          The name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character). NOTE: "Name" is
                                          being deprecated in favor of "Names".'
                                        type: string
                                      names:
                                        description: Names are the names of the resources.
                                          Each name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: 'NamespaceSelector is a label
                                          selector for the resource namespace. Label
                                          keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character).Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: Namespaces is a list of namespaces
                                          names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: 'Selector is a label selector.
                                          Label keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character). Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: Subject contains a reference to
                                        the object or user identities a role binding
                                        applies to.  This can either hold a direct
                                        API object reference, or a value for non-objects
                                        such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: APIGroup holds the API group
                                            of the referenced subject. Defaults to
                                            "" for ServiceAccount subjects. Defaults
                                            to "rbac.authorization.k8s.io" for User
                                            and Group subjects.
                                          type: string
                                        kind:
                                          description: Kind of object being referenced.
                                            Values defined by this API group are "User",
                                            "Group", and "ServiceAccount". If the
                                            Authorizer does not recognized the kind
                                            value, the Authorizer should report an
                                            error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: Namespace of the referenced
                                            object.  If the object kind is non-namespace,
                                            such as "User" or "Group", and this value
                                            is not empty the Authorizer should report
                                            an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            any:
                              description: Any allows specifying resources which will
                                be ORed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: Annotations is a  map of annotations
                                          (key-value pairs of type string). Annotation
                                          keys and values support the wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: 'Name is the name of the resource.
                                          The name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character). NOTE: "Name" is
                                          being deprecated in favor of "Names".'
                                        type: string
                                      names:
                                        description: Names are the names of the resources.
                                          Each name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: 'NamespaceSelector is a label
                                          selector for the resource namespace. Label
                                          keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character).Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: Namespaces is a list of namespaces
                                          names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: 'Selector is a label selector.
                                          Label keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character). Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: Subject contains a reference to
                                        the object or user identities a role binding
                                        applies to.  This can either hold a direct
                                        API object reference, or a value for non-objects
                                        such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: APIGroup holds the API group
                                            of the referenced subject. Defaults to
                                            "" for ServiceAccount subjects. Defaults
                                            to "rbac.authorization.k8s.io" for User
                                            and Group subjects.
                                          type: string
                                        kind:
                                          description: Kind of object being referenced.
                                            Values defined by this API group are "User",
                                            "Group", and "ServiceAccount". If the
                                            Authorizer does not recognized the kind
                                            value, the Authorizer should report an
                                            error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: Namespace of the referenced
                                            object.  If the object kind is non-namespace,
                                            such as "User" or "Group", and this value
                                            is not empty the Authorizer should report
                                            an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            clusterRoles:
                              description: ClusterRoles is the list of cluster-wide
                                role names for the user.
                              items:
                                type: string
                              type: array
                            resources:
                              description: ResourceDescription contains information
                                about the resource being created or modified. Requires
                                at least one tag to be specified when under MatchResources.
                                Specifying ResourceDescription directly under match
                                is being deprecated. Please specify under "any" or
                                "all" instead.
                              properties:
                                annotations:
                                  additionalProperties:
                                    type: string
                                  description: Annotations is a  map of annotations
                                    (key-value pairs of type string). Annotation keys
                                    and values support the wildcard characters "*"
                                    (matches zero or many characters) and "?" (matches
                                    at least one character).
                                  type: object
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                name:
                                  description: 'Name is the name of the resource.
                                    The name supports wildcard characters "*" (matches
                                    zero or many characters) and "?" (at least one
                                    character). NOTE: "Name" is being deprecated in
                                    favor of "Names".'
                                  type: string
                                names:
                                  description: Names are the names of the resources.
                                    Each name supports wildcard characters "*" (matches
                                    zero or many characters) and "?" (at least one
                                    character).
                                  items:
                                    type: string
                                  type: array
                                namespaceSelector:
                                  description: 'NamespaceSelector is a label selector
                                    for the resource namespace. Label keys and values
                                    in `matchLabels` support the wildcard characters
                                    `*` (matches zero or many characters) and `?`
                                    (matches one character).Wildcards allows writing
                                    label selectors like ["storage.k8s.io/*": "*"].
                                    Note that using ["*" : "*"] matches any key and
                                    value but does not match an empty label set.'
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: A label selector requirement
                                          is a selector that contains values, a key,
                                          and an operator that relates the key and
                                          values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: operator represents a key's
                                              relationship to a set of values. Valid
                                              operators are In, NotIn, Exists and
                                              DoesNotExist.
                                            type: string
                                          values:
                                            description: values is an array of string
                                              values. If the operator is In or NotIn,
                                              the values array must be non-empty.
                                              If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This
                                              array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: matchLabels is a map of {key,value}
                                        pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions,
                                        whose key field is "key", the operator is
                                        "In", and the values array contains only "value".
                                        The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                                namespaces:
                                  description: Namespaces is a list of namespaces
                                    names. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?"
                                    (at least one character).
                                  items:
                                    type: string
                                  type: array
                                operations:
                                  description: Operations can contain values ["CREATE,
                                    "UPDATE", "CONNECT", "DELETE"], which are used
                                    to match a specific action.
                                  items:
                                    description: AdmissionOperation can have one of
                                      the values CREATE, UPDATE, CONNECT, DELETE,
                                      which are used to match a specific action.
                                    enum:
                                    - CREATE
                                    - CONNECT
                                    - UPDATE
                                    - DELETE
                                    type: string
                                  type: array
                                selector:
                                  description: 'Selector is a label selector. Label
                                    keys and values in `matchLabels` support the wildcard
                                    characters `*` (matches zero or many characters)
                                    and `?` (matches one character). Wildcards allows
                                    writing label selectors like ["storage.k8s.io/*":
                                    "*"]. Note that using ["*" : "*"] matches any
                                    key and value but does not match an empty label
                                    set.'
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: A label selector requirement
                                          is a selector that contains values, a key,
                                          and an operator that relates the key and
                                          values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: operator represents a key's
                                              relationship to a set of values. Valid
                                              operators are In, NotIn, Exists and
                                              DoesNotExist.
                                            type: string
                                          values:
                                            description: values is an array of string
                                              values. If the operator is In or NotIn,
                                              the values array must be non-empty.
                                              If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This
                                              array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: matchLabels is a map of {key,value}
                                        pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions,
                                        whose key field is "key", the operator is
                                        "In", and the values array contains only "value".
                                        The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            roles:
                              description: Roles is the list of namespaced role names
                                for the user.
                              items:
                                type: string
                              type: array
                            subjects:
                              description: Subjects is the list of subject names like
                                users, user groups, and service accounts.
                              items:
                                description: Subject contains a reference to the object
                                  or user identities a role binding applies to.  This
                                  can either hold a direct API object reference, or
                                  a value for non-objects such as user and group names.
                                properties:
                                  apiGroup:
                                    description: APIGroup holds the API group of the
                                      referenced subject. Defaults to "" for ServiceAccount
                                      subjects. Defaults to "rbac.authorization.k8s.io"
                                      for User and Group subjects.
                                    type: string
                                  kind:
                                    description: Kind of object being referenced.
                                      Values defined by this API group are "User",
                                      "Group", and "ServiceAccount". If the Authorizer
                                      does not recognized the kind value, the Authorizer
                                      should report an error.
                                    type: string
                                  name:
                                    description: Name of the object being referenced.
                                    type: string
                                  namespace:
                                    description: Namespace of the referenced object.  If
                                      the object kind is non-namespace, such as "User"
                                      or "Group", and this value is not empty the
                                      Authorizer should report an error.
                                    type: string
                                required:
                                - kind
                                - name
                                type: object
                                x-kubernetes-map-type: atomic
                              type: array
                          type: object
                        mutate:
                          description: Mutation is used to modify matching resources.
                          properties:
                            foreach:
                              description: ForEach applies mutation rules to a list
                                of sub-elements by creating a context for each entry
                                in the list and looping over it to apply the specified
                                logic.
                              items:
                                description: ForEachMutation applies mutation rules
                                  to a list of sub-elements by creating a context
                                  for each entry in the list and looping over it to
                                  apply the specified logic.
                                properties:
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: ContextEntry adds variables and
                                        data sources to a rule Context. Either a ConfigMap
                                        reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: APICall is an HTTP request
                                            to the Kubernetes API server, or other
                                            JSON web service. The data returned is
                                            stored in the context with the name for
                                            the context entry.
                                          properties:
                                            data:
                                              description: Data specifies the POST
                                                data sent to the server.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the JSON response
                                                returned from the server. For example
                                                a JMESPath of "items | length(@)"
                                                applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments"
                                                will return the total count of deployments
                                                across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST).
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: Service is an API call
                                                to a JSON web service
                                              properties:
                                                caBundle:
                                                  description: CABundle is a PEM encoded
                                                    CA bundle which will be used to
                                                    validate the server certificate.
                                                  type: string
                                                url:
                                                  description: URL is the JSON web
                                                    service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: URLPath is the URL path
                                                to be used in the HTTP GET or POST
                                                request to the Kubernetes API server
                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format
                                                used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        imageRegistry:
                                          description: ImageRegistry defines requests
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry
                                                  type: boolean
                                                providers:
                                                  description: 'Providers specifies
                                                    a list of OCI Registry names,
                                                    whose authentication providers
                                                    are provided It can be of one
                                                    of these values: AWS, ACR, GCP,
                                                    GHCR'
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: Secrets specifies a
                                                    list of secrets that are provided
                                                    for credentials Secrets must live
                                                    in the Kyverno namespace
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the ImageData struct
                                                returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: 'Reference is image reference
                                                to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest'
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: Default is an optional
                                                arbitrary JSON object that the variable
                                                may take if the JMESPath expression
                                                evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JMESPath Expression that can be used
                                                to transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  foreach:
                                    description: Foreach declares a nested foreach
                                      iterator
                                    x-kubernetes-preserve-unknown-fields: true
                                  list:
                                    description: List specifies a JMESPath expression
                                      that results in one or more elements to which
                                      the validation logic is applied.
                                    type: string
                                  order:
                                    description: Order defines the iteration order
                                      on the list. Can be Ascending to iterate from
                                      first to last element or Descending to iterate
                                      in from last to first element.
                                    enum:
                                    - Ascending
                                    - Descending
                                    type: string
                                  patchStrategicMerge:
                                    description: PatchStrategicMerge is a strategic
                                      merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                                    x-kubernetes-preserve-unknown-fields: true
                                  patchesJson6902:
                                    description: PatchesJSON6902 is a list of RFC
                                      6902 JSON Patch declarations used to modify
                                      resources. See https://tools.ietf.org/html/rfc6902
                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                                    type: string
                                  preconditions:
                                    description: 'AnyAllConditions are used to determine
                                      if a policy rule should be applied by evaluating
                                      a set of conditions. The declaration can contain
                                      nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
                                    properties:
                                      all:
                                        description: AllConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, all of the conditions
                                          need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: AnyConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, at least one of
                                          the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              type: array
                            patchStrategicMerge:
                              description: PatchStrategicMerge is a strategic merge
                                patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                              x-kubernetes-preserve-unknown-fields: true
                            patchesJson6902:
                              description: PatchesJSON6902 is a list of RFC 6902 JSON
                                Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                              type: string
                            targets:
                              description: Targets defines the target resources to
                                be mutated.
                              items:
                                description: TargetResourceSpec defines targets for
                                  mutating existing resources.
                                properties:
                                  apiVersion:
                                    description: APIVersion specifies resource apiVersion.
                                    type: string
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: ContextEntry adds variables and
                                        data sources to a rule Context. Either a ConfigMap
                                        reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: APICall is an HTTP request
                                            to the Kubernetes API server, or other
                                            JSON web service. The data returned is
                                            stored in the context with the name for
                                            the context entry.
                                          properties:
                                            data:
                                              description: Data specifies the POST
                                                data sent to the server.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the JSON response
                                                returned from the server. For example
                                                a JMESPath of "items | length(@)"
                                                applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments"
                                                will return the total count of deployments
                                                across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST).
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: Service is an API call
                                                to a JSON web service
                                              properties:
                                                caBundle:
                                                  description: CABundle is a PEM encoded
                                                    CA bundle which will be used to
                                                    validate the server certificate.
                                                  type: string
                                                url:
                                                  description: URL is the JSON web
                                                    service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: URLPath is the URL path
                                                to be used in the HTTP GET or POST
                                                request to the Kubernetes API server
                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format
                                                used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        imageRegistry:
                                          description: ImageRegistry defines requests
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry
                                                  type: boolean
                                                providers:
                                                  description: 'Providers specifies
                                                    a list of OCI Registry names,
                                                    whose authentication providers
                                                    are provided It can be of one
                                                    of these values: AWS, ACR, GCP,
                                                    GHCR'
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: Secrets specifies a
                                                    list of secrets that are provided
                                                    for credentials Secrets must live
                                                    in the Kyverno namespace
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the ImageData struct
                                                returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: 'Reference is image reference
                                                to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest'
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: Default is an optional
                                                arbitrary JSON object that the variable
                                                may take if the JMESPath expression
                                                evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JMESPath Expression that can be used
                                                to transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  kind:
                                    description: Kind specifies resource kind.
                                    type: string
                                  name:
                                    description: Name specifies the resource name.
                                    type: string
                                  namespace:
                                    description: Namespace specifies resource namespace.
                                    type: string
                                  preconditions:
                                    description: 'Preconditions are used to determine
                                      if a policy rule should be applied by evaluating
                                      a set of conditions. The declaration can contain
                                      nested `any` or `all` statements. A direct list
                                      of conditions (without `any` or `all` statements
                                      is supported for backwards compatibility but
                                      will be deprecated in the next major release.
                                      See: https://kyverno.io/docs/writing-policies/preconditions/'
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              type: array
                          type: object
                        name:
                          description: Name is a label to identify the rule, It must
                            be unique within the policy.
                          maxLength: 63
                          type: string
                        preconditions:
                          description: 'Preconditions are used to determine if a policy
                            rule should be applied by evaluating a set of conditions.
                            The declaration can contain nested `any` or `all` statements.
                            A direct list of conditions (without `any` or `all` statements
                            is supported for backwards compatibility but will be deprecated
                            in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
                          x-kubernetes-preserve-unknown-fields: true
                        validate:
                          description: Validation is used to validate matching resources.
                          properties:
                            anyPattern:
                              description: AnyPattern specifies list of validation
                                patterns. At least one of the patterns must be satisfied
                                for the validation rule to succeed.
                              x-kubernetes-preserve-unknown-fields: true
                            cel:
                              description: CEL allows validation checks using the
                                Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
                              properties:
                                auditAnnotations:
                                  description: AuditAnnotations contains CEL expressions
                                    which are used to produce audit annotations for
                                    the audit event of the API request.
                                  items:
                                    description: AuditAnnotation describes how to
                                      produce an audit annotation for an API request.
                                    properties:
                                      key:
                                        description: "key specifies the audit annotation
                                          key. The audit annotation keys of a ValidatingAdmissionPolicy
                                          must be unique. The key must be a qualified
                                          name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more
                                          than 63 bytes in length. \n The key is combined
                                          with the resource name of the ValidatingAdmissionPolicy
                                          to construct an audit annotation key: \"{ValidatingAdmissionPolicy
                                          name}/{key}\". \n If an admission webhook
                                          uses the same resource name as this ValidatingAdmissionPolicy
                                          and the same audit annotation key, the annotation
                                          key will be identical. In this case, the
                                          first annotation written with the key will
                                          be included in the audit event and all subsequent
                                          annotations with the same key will be discarded.
                                          \n Required."
                                        type: string
                                      valueExpression:
                                        description: "valueExpression represents the
                                          expression which is evaluated by CEL to
                                          produce an audit annotation value. The expression
                                          must evaluate to either a string or null
                                          value. If the expression evaluates to a
                                          string, the audit annotation is included
                                          with the string value. If the expression
                                          evaluates to null or empty string the audit
                                          annotation will be omitted. The valueExpression
                                          may be no longer than 5kb in length. If
                                          the result of the valueExpression is more
                                          than 10kb in length, it will be truncated
                                          to 10kb. \n If multiple ValidatingAdmissionPolicyBinding
                                          resources match an API request, then the
                                          valueExpression will be evaluated for each
                                          binding. All unique values produced by the
                                          valueExpressions will be joined together
                                          in a comma-separated list. \n Required."
                                        type: string
                                    required:
                                    - key
                                    - valueExpression
                                    type: object
                                  type: array
                                expressions:
                                  description: Expressions is a list of CELExpression
                                    types.
                                  items:
                                    description: Validation specifies the CEL expression
                                      which is used to apply the validation.
                                    properties:
                                      expression:
                                        description: "Expression represents the expression
                                          which will be evaluated by CEL. ref: https://github.com/google/cel-spec
                                          CEL expressions have access to the contents
                                          of the API request/response, organized into
                                          CEL variables as well as some other useful
                                          variables: \n - 'object' - The object from
                                          the incoming request. The value is null
                                          for DELETE requests. - 'oldObject' - The
                                          existing object. The value is null for CREATE
                                          requests. - 'request' - Attributes of the
                                          API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
                                          - 'params' - Parameter resource referred
                                          to by the policy binding being evaluated.
                                          Only populated if the policy has a ParamKind.
                                          - 'authorizer' - A CEL Authorizer. May be
                                          used to perform authorization checks for
                                          the principal (user or service account)
                                          of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                                          - 'authorizer.requestResource' - A CEL ResourceCheck
                                          constructed from the 'authorizer' and configured
                                          with the request resource. \n The `apiVersion`,
                                          `kind`, `metadata.name` and `metadata.generateName`
                                          are always accessible from the root of the
                                          object. No other metadata properties are
                                          accessible. \n Only property names of the
                                          form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are
                                          accessible. Accessible property names are
                                          escaped according to the following rules
                                          when accessed in the expression: - '__'
                                          escapes to '__underscores__' - '.' escapes
                                          to '__dot__' - '-' escapes to '__dash__'
                                          - '/' escapes to '__slash__' - Property
                                          names that exactly match a CEL RESERVED
                                          keyword escape to '__{keyword}__'. The keywords
                                          are: \"true\", \"false\", \"null\", \"in\",
                                          \"as\", \"break\", \"const\", \"continue\",
                                          \"else\", \"for\", \"function\", \"if\",
                                          \"import\", \"let\", \"loop\", \"package\",
                                          \"namespace\", \"return\". Examples: - Expression
                                          accessing a property named \"namespace\":
                                          {\"Expression\": \"object.__namespace__
                                          > 0\"} - Expression accessing a property
                                          named \"x-prop\": {\"Expression\": \"object.x__dash__prop
                                          > 0\"} - Expression accessing a property
                                          named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
                                          > 0\"} \n Equality on arrays with list type
                                          of 'set' or 'map' ignores element order,
                                          i.e. [1, 2] == [2, 1]. Concatenation on
                                          arrays with x-kubernetes-list-type use the
                                          semantics of the list type: - 'set': `X
                                          + Y` performs a union where the array positions
                                          of all elements in `X` are preserved and
                                          non-intersecting elements in `Y` are appended,
                                          retaining their partial order. - 'map':
                                          `X + Y` performs a merge where the array
                                          positions of all keys in `X` are preserved
                                          but the values are overwritten by values
                                          in `Y` when the key sets of `X` and `Y`
                                          intersect. Elements in `Y` with non-intersecting
                                          keys are appended, retaining their partial
                                          order. Required."
                                        type: string
                                      message:
                                        description: 'Message represents the message
                                          displayed when validation fails. The message
                                          is required if the Expression contains line
                                          breaks. The message must not contain line
                                          breaks. If unset, the message is "failed
                                          rule: {Rule}". e.g. "must be a URL with
                                          the host matching spec.host" If the Expression
                                          contains line breaks. Message is required.
                                          The message must not contain line breaks.
                                          If unset, the message is "failed Expression:
                                          {Expression}".'
                                        type: string
                                      messageExpression:
                                        description: 'messageExpression declares a
                                          CEL expression that evaluates to the validation
                                          failure message that is returned when this
                                          rule fails. Since messageExpression is used
                                          as a failure message, it must evaluate to
                                          a string. If both message and messageExpression
                                          are present on a validation, then messageExpression
                                          will be used if validation fails. If messageExpression
                                          results in a runtime error, the runtime
                                          error is logged, and the validation failure
                                          message is produced as if the messageExpression
                                          field were unset. If messageExpression evaluates
                                          to an empty string, a string with only spaces,
                                          or a string that contains line breaks, then
                                          the validation failure message will also
                                          be produced as if the messageExpression
                                          field were unset, and the fact that messageExpression
                                          produced an empty string/string with only
                                          spaces/string with line breaks will be logged.
                                          messageExpression has access to all the
                                          same variables as the `expression` except
                                          for ''authorizer'' and ''authorizer.requestResource''.
                                          Example: "object.x must be less than max
                                          ("+string(params.max)+")"'
                                        type: string
                                      reason:
                                        description: 'Reason represents a machine-readable
                                          description of why this validation failed.
                                          If this is the first validation in the list
                                          to fail, this reason, as well as the corresponding
                                          HTTP response code, are used in the HTTP
                                          response to the client. The currently supported
                                          reasons are: "Unauthorized", "Forbidden",
                                          "Invalid", "RequestEntityTooLarge". If not
                                          set, StatusReasonInvalid is used in the
                                          response to the client.'
                                        type: string
                                    required:
                                    - expression
                                    type: object
                                  type: array
                                paramKind:
                                  description: ParamKind is a tuple of Group Kind
                                    and Version.
                                  properties:
                                    apiVersion:
                                      description: APIVersion is the API group version
                                        the resources belong to. In format of "group/version".
                                        Required.
                                      type: string
                                    kind:
                                      description: Kind is the API kind the resources
                                        belong to. Required.
                                      type: string
                                  type: object
                                  x-kubernetes-map-type: atomic
                                paramRef:
                                  description: ParamRef references a parameter resource.
                                  properties:
                                    name:
                                      description: Name of the resource being referenced.
                                      type: string
                                    namespace:
                                      description: Namespace of the referenced resource.
                                        Should be empty for the cluster-scoped resources
                                      type: string
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            deny:
                              description: Deny defines conditions used to pass or
                                fail a validation rule.
                              properties:
                                conditions:
                                  description: 'Multiple conditions can be declared
                                    under an `any` or `all` statement. A direct list
                                    of conditions (without `any` or `all` statements)
                                    is also supported for backwards compatibility
                                    but will be deprecated in the next major release.
                                    See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
                                  x-kubernetes-preserve-unknown-fields: true
                              type: object
                            foreach:
                              description: ForEach applies validate rules to a list
                                of sub-elements by creating a context for each entry
                                in the list and looping over it to apply the specified
                                logic.
                              items:
                                description: ForEachValidation applies validate rules
                                  to a list of sub-elements by creating a context
                                  for each entry in the list and looping over it to
                                  apply the specified logic.
                                properties:
                                  anyPattern:
                                    description: AnyPattern specifies list of validation
                                      patterns. At least one of the patterns must
                                      be satisfied for the validation rule to succeed.
                                    x-kubernetes-preserve-unknown-fields: true
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: ContextEntry adds variables and
                                        data sources to a rule Context. Either a ConfigMap
                                        reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: APICall is an HTTP request
                                            to the Kubernetes API server, or other
                                            JSON web service. The data returned is
                                            stored in the context with the name for
                                            the context entry.
                                          properties:
                                            data:
                                              description: Data specifies the POST
                                                data sent to the server.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the JSON response
                                                returned from the server. For example
                                                a JMESPath of "items | length(@)"
                                                applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments"
                                                will return the total count of deployments
                                                across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST).
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: Service is an API call
                                                to a JSON web service
                                              properties:
                                                caBundle:
                                                  description: CABundle is a PEM encoded
                                                    CA bundle which will be used to
                                                    validate the server certificate.
                                                  type: string
                                                url:
                                                  description: URL is the JSON web
                                                    service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: URLPath is the URL path
                                                to be used in the HTTP GET or POST
                                                request to the Kubernetes API server
                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format
                                                used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        imageRegistry:
                                          description: ImageRegistry defines requests
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry
                                                  type: boolean
                                                providers:
                                                  description: 'Providers specifies
                                                    a list of OCI Registry names,
                                                    whose authentication providers
                                                    are provided It can be of one
                                                    of these values: AWS, ACR, GCP,
                                                    GHCR'
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: Secrets specifies a
                                                    list of secrets that are provided
                                                    for credentials Secrets must live
                                                    in the Kyverno namespace
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the ImageData struct
                                                returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: 'Reference is image reference
                                                to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest'
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: Default is an optional
                                                arbitrary JSON object that the variable
                                                may take if the JMESPath expression
                                                evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JMESPath Expression that can be used
                                                to transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  deny:
                                    description: Deny defines conditions used to pass
                                      or fail a validation rule.
                                    properties:
                                      conditions:
                                        description: 'Multiple conditions can be declared
                                          under an `any` or `all` statement. A direct
                                          list of conditions (without `any` or `all`
                                          statements) is also supported for backwards
                                          compatibility but will be deprecated in
                                          the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
                                        x-kubernetes-preserve-unknown-fields: true
                                    type: object
                                  elementScope:
                                    description: ElementScope specifies whether to
                                      use the current list element as the scope for
                                      validation. Defaults to "true" if not specified.
                                      When set to "false", "request.object" is used
                                      as the validation scope within the foreach block
                                      to allow referencing other elements in the subtree.
                                    type: boolean
                                  foreach:
                                    description: Foreach declares a nested foreach
                                      iterator
                                    x-kubernetes-preserve-unknown-fields: true
                                  list:
                                    description: List specifies a JMESPath expression
                                      that results in one or more elements to which
                                      the validation logic is applied.
                                    type: string
                                  pattern:
                                    description: Pattern specifies an overlay-style
                                      pattern used to check resources.
                                    x-kubernetes-preserve-unknown-fields: true
                                  preconditions:
                                    description: 'AnyAllConditions are used to determine
                                      if a policy rule should be applied by evaluating
                                      a set of conditions. The declaration can contain
                                      nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
                                    properties:
                                      all:
                                        description: AllConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, all of the conditions
                                          need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: AnyConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, at least one of
                                          the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              type: array
                            manifests:
                              description: Manifest specifies conditions for manifest
                                verification
                              properties:
                                annotationDomain:
                                  description: AnnotationDomain is custom domain of
                                    annotation for message and signature. Default
                                    is "cosign.sigstore.dev".
                                  type: string
                                attestors:
                                  description: Attestors specified the required attestors
                                    (i.e. authorities)
                                  items:
                                    properties:
                                      count:
                                        description: Count specifies the required
                                          number of entries that must match. If the
                                          count is null, all entries must match (a
                                          logical AND). If the count is 1, at least
                                          one entry must match (a logical OR). If
                                          the count contains a value N, then N must
                                          be less than or equal to the size of entries,
                                          and at least N entries must match.
                                        minimum: 1
                                        type: integer
                                      entries:
                                        description: Entries contains the available
                                          attestors. An attestor can be a static key,
                                          attributes for keyless verification, or
                                          a nested attestor declaration.
                                        items:
                                          properties:
                                            annotations:
                                              additionalProperties:
                                                type: string
                                              description: Annotations are used for
                                                image verification. Every specified
                                                key-value pair must exist and match
                                                in the verified payload. The payload
                                                may contain other key-value pairs.
                                              type: object
                                            attestor:
                                              description: Attestor is a nested AttestorSet
                                                used to specify a more complex set
                                                of match authorities
                                              x-kubernetes-preserve-unknown-fields: true
                                            certificates:
                                              description: Certificates specifies
                                                one or more certificates
                                              properties:
                                                cert:
                                                  description: Certificate is an optional
                                                    PEM encoded public certificate.
                                                  type: string
                                                certChain:
                                                  description: CertificateChain is
                                                    an optional PEM encoded set of
                                                    certificates used to verify
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    Rekor is not checked. If an empty
                                                    object is provided the public
                                                    instance of Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                              type: object
                                            keyless:
                                              description: Keyless is a set of attribute
                                                used to verify a Sigstore keyless
                                                attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                              properties:
                                                additionalExtensions:
                                                  additionalProperties:
                                                    type: string
                                                  description: AdditionalExtensions
                                                    are certificate-extensions used
                                                    for keyless signing.
                                                  type: object
                                                issuer:
                                                  description: Issuer is the certificate
                                                    issuer used for keyless signing.
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    Rekor is not checked and a root
                                                    certificate chain is expected
                                                    instead. If an empty object is
                                                    provided the public instance of
                                                    Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                                roots:
                                                  description: Roots is an optional
                                                    set of PEM encoded trusted root
                                                    certificates. If not provided,
                                                    the system roots are used.
                                                  type: string
                                                subject:
                                                  description: Subject is the verified
                                                    identity used for keyless signing,
                                                    for example the email address
                                                  type: string
                                              type: object
                                            keys:
                                              description: Keys specifies one or more
                                                public keys
                                              properties:
                                                kms:
                                                  description: 'KMS provides the URI
                                                    to the public key stored in a
                                                    Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                                  type: string
                                                publicKeys:
                                                  description: Keys is a set of X.509
                                                    public keys used to verify image
                                                    signatures. The keys can be directly
                                                    specified or can be a variable
                                                    reference to a key specified in
                                                    a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
                                                    or reference a standard Kubernetes
                                                    Secret elsewhere in the cluster
                                                    by specifying it in the format
                                                    "k8s://<namespace>/<secret_name>".
                                                    The named Secret must specify
                                                    a key `cosign.pub` containing
                                                    the public key used for verification,
                                                    (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                    When multiple keys are specified
                                                    each key is processed as a separate
                                                    staticKey entry (.attestors[*].entries.keys)
                                                    within the set of attestors and
                                                    the count is applied across the
                                                    keys.
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    or an empty object is provided,
                                                    the public instance of Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                                secret:
                                                  description: Reference to a Secret
                                                    resource that contains a public
                                                    key
                                                  properties:
                                                    name:
                                                      description: Name of the secret.
                                                        The provided secret must contain
                                                        a key named cosign.pub.
                                                      type: string
                                                    namespace:
                                                      description: Namespace name
                                                        where the Secret exists.
                                                      type: string
                                                  required:
                                                  - name
                                                  - namespace
                                                  type: object
                                                signatureAlgorithm:
                                                  default: sha256
                                                  description: Specify signature algorithm
                                                    for public keys. Supported values
                                                    are sha256 and sha512
                                                  type: string
                                              type: object
                                            repository:
                                              description: Repository is an optional
                                                alternate OCI repository to use for
                                                signatures and attestations that match
                                                this rule. If specified Repository
                                                will override other OCI image repository
                                                locations for this Attestor.
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                dryRun:
                                  description: DryRun configuration
                                  properties:
                                    enable:
                                      type: boolean
                                    namespace:
                                      type: string
                                  type: object
                                ignoreFields:
                                  description: Fields which will be ignored while
                                    comparing manifests.
                                  items:
                                    properties:
                                      fields:
                                        items:
                                          type: string
                                        type: array
                                      objects:
                                        items:
                                          properties:
                                            group:
                                              type: string
                                            kind:
                                              type: string
                                            name:
                                              type: string
                                            namespace:
                                              type: string
                                            version:
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                repository:
                                  description: Repository is an optional alternate
                                    OCI repository to use for resource bundle reference.
                                    The repository can be overridden per Attestor
                                    or Attestation.
                                  type: string
                              type: object
                            message:
                              description: Message specifies a custom message to be
                                displayed on failure.
                              type: string
                            pattern:
                              description: Pattern specifies an overlay-style pattern
                                used to check resources.
                              x-kubernetes-preserve-unknown-fields: true
                            podSecurity:
                              description: PodSecurity applies exemptions for Kubernetes
                                Pod Security admission by specifying exclusions for
                                Pod Security Standards controls.
                              properties:
                                exclude:
                                  description: Exclude specifies the Pod Security
                                    Standard controls to be excluded.
                                  items:
                                    description: PodSecurityStandard specifies the
                                      Pod Security Standard controls to be excluded.
                                    properties:
                                      controlName:
                                        description: 'ControlName specifies the name
                                          of the Pod Security Standard control. See:
                                          https://kubernetes.io/docs/concepts/security/pod-security-standards/'
                                        enum:
                                        - HostProcess
                                        - Host Namespaces
                                        - Privileged Containers
                                        - Capabilities
                                        - HostPath Volumes
                                        - Host Ports
                                        - AppArmor
                                        - SELinux
                                        - /proc Mount Type
                                        - Seccomp
                                        - Sysctls
                                        - Volume Types
                                        - Privilege Escalation
                                        - Running as Non-root
                                        - Running as Non-root user
                                        type: string
                                      images:
                                        description: 'Images selects matching containers
                                          and applies the container level PSS. Each
                                          image is the image name consisting of the
                                          registry address, repository, image, and
                                          tag. Empty list matches no containers, PSS
                                          checks are applied at the pod level only.
                                          Wildcards (''*'' and ''?'') are allowed.
                                          See: https://kubernetes.io/docs/concepts/containers/images.'
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - controlName
                                    type: object
                                  type: array
                                level:
                                  description: Level defines the Pod Security Standard
                                    level to be applied to workloads. Allowed values
                                    are privileged, baseline, and restricted.
                                  enum:
                                  - privileged
                                  - baseline
                                  - restricted
                                  type: string
                                version:
                                  description: Version defines the Pod Security Standard
                                    versions that Kubernetes supports. Allowed values
                                    are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
                                    v1.25, v1.26, latest. Defaults to latest.
                                  enum:
                                  - v1.19
                                  - v1.20
                                  - v1.21
                                  - v1.22
                                  - v1.23
                                  - v1.24
                                  - v1.25
                                  - v1.26
                                  - latest
                                  type: string
                              type: object
                          type: object
                        verifyImages:
                          description: VerifyImages is used to verify image signatures
                            and mutate them to add a digest
                          items:
                            description: ImageVerification validates that images that
                              match the specified pattern are signed with the supplied
                              public key. Once the image is verified it is mutated
                              to include the SHA digest retrieved during the registration.
                            properties:
                              additionalExtensions:
                                additionalProperties:
                                  type: string
                                description: AdditionalExtensions are certificate-extensions
                                  used for keyless signing. Deprecated.
                                type: object
                              annotations:
                                additionalProperties:
                                  type: string
                                description: Annotations are used for image verification.
                                  Every specified key-value pair must exist and match
                                  in the verified payload. The payload may contain
                                  other key-value pairs. Deprecated. Use annotations
                                  per Attestor instead.
                                type: object
                              attestations:
                                description: Attestations are optional checks for
                                  signed in-toto Statements used to verify the image.
                                  See https://github.com/in-toto/attestation. Kyverno
                                  fetches signed attestations from the OCI registry
                                  and decodes them into a list of Statement declarations.
                                items:
                                  description: Attestation are checks for signed in-toto
                                    Statements that are used to verify the image.
                                    See https://github.com/in-toto/attestation. Kyverno
                                    fetches signed attestations from the OCI registry
                                    and decodes them into a list of Statements.
                                  properties:
                                    attestors:
                                      description: Attestors specify the required
                                        attestors (i.e. authorities)
                                      items:
                                        properties:
                                          count:
                                            description: Count specifies the required
                                              number of entries that must match. If
                                              the count is null, all entries must
                                              match (a logical AND). If the count
                                              is 1, at least one entry must match
                                              (a logical OR). If the count contains
                                              a value N, then N must be less than
                                              or equal to the size of entries, and
                                              at least N entries must match.
                                            minimum: 1
                                            type: integer
                                          entries:
                                            description: Entries contains the available
                                              attestors. An attestor can be a static
                                              key, attributes for keyless verification,
                                              or a nested attestor declaration.
                                            items:
                                              properties:
                                                annotations:
                                                  additionalProperties:
                                                    type: string
                                                  description: Annotations are used
                                                    for image verification. Every
                                                    specified key-value pair must
                                                    exist and match in the verified
                                                    payload. The payload may contain
                                                    other key-value pairs.
                                                  type: object
                                                attestor:
                                                  description: Attestor is a nested
                                                    AttestorSet used to specify a
                                                    more complex set of match authorities
                                                  x-kubernetes-preserve-unknown-fields: true
                                                certificates:
                                                  description: Certificates specifies
                                                    one or more certificates
                                                  properties:
                                                    cert:
                                                      description: Certificate is
                                                        an optional PEM encoded public
                                                        certificate.
                                                      type: string
                                                    certChain:
                                                      description: CertificateChain
                                                        is an optional PEM encoded
                                                        set of certificates used to
                                                        verify
                                                      type: string
                                                    rekor:
                                                      description: Rekor provides
                                                        configuration for the Rekor
                                                        transparency log service.
                                                        If the value is nil, Rekor
                                                        is not checked. If an empty
                                                        object is provided the public
                                                        instance of Rekor (https://rekor.sigstore.dev)
                                                        is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: IgnoreSCT requires
                                                            that a certificate contain
                                                            an embedded SCT during
                                                            verification. An SCT is
                                                            proof of inclusion in
                                                            a certificate transparency
                                                            log.
                                                          type: boolean
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skip tlog verification
                                                          type: boolean
                                                        pubkey:
                                                          description: RekorPubKey
                                                            is an optional PEM encoded
                                                            public key to use for
                                                            a custom Rekor. If set,
                                                            is used to validate signatures
                                                            on log entries from Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            log https://rekor.sigstore.dev.
                                                          type: string
                                                      required:
                                                      - url
                                                      type: object
                                                  type: object
                                                keyless:
                                                  description: Keyless is a set of
                                                    attribute used to verify a Sigstore
                                                    keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                                  properties:
                                                    additionalExtensions:
                                                      additionalProperties:
                                                        type: string
                                                      description: AdditionalExtensions
                                                        are certificate-extensions
                                                        used for keyless signing.
                                                      type: object
                                                    issuer:
                                                      description: Issuer is the certificate
                                                        issuer used for keyless signing.
                                                      type: string
                                                    rekor:
                                                      description: Rekor provides
                                                        configuration for the Rekor
                                                        transparency log service.
                                                        If the value is nil, Rekor
                                                        is not checked and a root
                                                        certificate chain is expected
                                                        instead. If an empty object
                                                        is provided the public instance
                                                        of Rekor (https://rekor.sigstore.dev)
                                                        is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: IgnoreSCT requires
                                                            that a certificate contain
                                                            an embedded SCT during
                                                            verification. An SCT is
                                                            proof of inclusion in
                                                            a certificate transparency
                                                            log.
                                                          type: boolean
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skip tlog verification
                                                          type: boolean
                                                        pubkey:
                                                          description: RekorPubKey
                                                            is an optional PEM encoded
                                                            public key to use for
                                                            a custom Rekor. If set,
                                                            is used to validate signatures
                                                            on log entries from Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            log https://rekor.sigstore.dev.
                                                          type: string
                                                      required:
                                                      - url
                                                      type: object
                                                    roots:
                                                      description: Roots is an optional
                                                        set of PEM encoded trusted
                                                        root certificates. If not
                                                        provided, the system roots
                                                        are used.
                                                      type: string
                                                    subject:
                                                      description: Subject is the
                                                        verified identity used for
                                                        keyless signing, for example
                                                        the email address
                                                      type: string
                                                  type: object
                                                keys:
                                                  description: Keys specifies one
                                                    or more public keys
                                                  properties:
                                                    kms:
                                                      description: 'KMS provides the
                                                        URI to the public key stored
                                                        in a Key Management System.
                                                        See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                                      type: string
                                                    publicKeys:
                                                      description: Keys is a set of
                                                        X.509 public keys used to
                                                        verify image signatures. The
                                                        keys can be directly specified
                                                        or can be a variable reference
                                                        to a key specified in a ConfigMap
                                                        (see https://kyverno.io/docs/writing-policies/variables/),
                                                        or reference a standard Kubernetes
                                                        Secret elsewhere in the cluster
                                                        by specifying it in the format
                                                        "k8s://<namespace>/<secret_name>".
                                                        The named Secret must specify
                                                        a key `cosign.pub` containing
                                                        the public key used for verification,
                                                        (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                        When multiple keys are specified
                                                        each key is processed as a
                                                        separate staticKey entry (.attestors[*].entries.keys)
                                                        within the set of attestors
                                                        and the count is applied across
                                                        the keys.
                                                      type: string
                                                    rekor:
                                                      description: Rekor provides
                                                        configuration for the Rekor
                                                        transparency log service.
                                                        If the value is nil, or an
                                                        empty object is provided,
                                                        the public instance of Rekor
                                                        (https://rekor.sigstore.dev)
                                                        is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: IgnoreSCT requires
                                                            that a certificate contain
                                                            an embedded SCT during
                                                            verification. An SCT is
                                                            proof of inclusion in
                                                            a certificate transparency
                                                            log.
                                                          type: boolean
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skip tlog verification
                                                          type: boolean
                                                        pubkey:
                                                          description: RekorPubKey
                                                            is an optional PEM encoded
                                                            public key to use for
                                                            a custom Rekor. If set,
                                                            is used to validate signatures
                                                            on log entries from Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            log https://rekor.sigstore.dev.
                                                          type: string
                                                      required:
                                                      - url
                                                      type: object
                                                    secret:
                                                      description: Reference to a
                                                        Secret resource that contains
                                                        a public key
                                                      properties:
                                                        name:
                                                          description: Name of the
                                                            secret. The provided secret
                                                            must contain a key named
                                                            cosign.pub.
                                                          type: string
                                                        namespace:
                                                          description: Namespace name
                                                            where the Secret exists.
                                                          type: string
                                                      required:
                                                      - name
                                                      - namespace
                                                      type: object
                                                    signatureAlgorithm:
                                                      default: sha256
                                                      description: Specify signature
                                                        algorithm for public keys.
                                                        Supported values are sha256
                                                        and sha512
                                                      type: string
                                                  type: object
                                                repository:
                                                  description: Repository is an optional
                                                    alternate OCI repository to use
                                                    for signatures and attestations
                                                    that match this rule. If specified
                                                    Repository will override other
                                                    OCI image repository locations
                                                    for this Attestor.
                                                  type: string
                                              type: object
                                            type: array
                                        type: object
                                      type: array
                                    conditions:
                                      description: Conditions are used to verify attributes
                                        within a Predicate. If no Conditions are specified
                                        the attestation check is satisfied as long
                                        there are predicates that match the predicate
                                        type.
                                      items:
                                        description: AnyAllConditions consists of
                                          conditions wrapped denoting a logical criteria
                                          to be fulfilled. AnyConditions get fulfilled
                                          when at least one of its sub-conditions
                                          passes. AllConditions get fulfilled only
                                          when all of its sub-conditions pass.
                                        properties:
                                          all:
                                            description: AllConditions enable variable-based
                                              conditional rule execution. This is
                                              useful for finer control of when an
                                              rule is applied. A condition can reference
                                              object data using JMESPath notation.
                                              Here, all of the conditions need to
                                              pass
                                            items:
                                              description: Condition defines variable-based
                                                conditional criteria for rule execution.
                                              properties:
                                                key:
                                                  description: Key is the context
                                                    entry (using JMESPath) for conditional
                                                    rule evaluation.
                                                  x-kubernetes-preserve-unknown-fields: true
                                                message:
                                                  description: Message is an optional
                                                    display message
                                                  type: string
                                                operator:
                                                  description: 'Operator is the conditional
                                                    operation to perform. Valid operators
                                                    are: Equals, NotEquals, In, AnyIn,
                                                    AllIn, NotIn, AnyNotIn, AllNotIn,
                                                    GreaterThanOrEquals, GreaterThan,
                                                    LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                    DurationGreaterThan, DurationLessThanOrEquals,
                                                    DurationLessThan'
                                                  enum:
                                                  - Equals
                                                  - NotEquals
                                                  - In
                                                  - AnyIn
                                                  - AllIn
                                                  - NotIn
                                                  - AnyNotIn
                                                  - AllNotIn
                                                  - GreaterThanOrEquals
                                                  - GreaterThan
                                                  - LessThanOrEquals
                                                  - LessThan
                                                  - DurationGreaterThanOrEquals
                                                  - DurationGreaterThan
                                                  - DurationLessThanOrEquals
                                                  - DurationLessThan
                                                  type: string
                                                value:
                                                  description: Value is the conditional
                                                    value, or set of values. The values
                                                    can be fixed set or can be variables
                                                    declared using JMESPath.
                                                  x-kubernetes-preserve-unknown-fields: true
                                              type: object
                                            type: array
                                          any:
                                            description: AnyConditions enable variable-based
                                              conditional rule execution. This is
                                              useful for finer control of when an
                                              rule is applied. A condition can reference
                                              object data using JMESPath notation.
                                              Here, at least one of the conditions
                                              need to pass
                                            items:
                                              description: Condition defines variable-based
                                                conditional criteria for rule execution.
                                              properties:
                                                key:
                                                  description: Key is the context
                                                    entry (using JMESPath) for conditional
                                                    rule evaluation.
                                                  x-kubernetes-preserve-unknown-fields: true
                                                message:
                                                  description: Message is an optional
                                                    display message
                                                  type: string
                                                operator:
                                                  description: 'Operator is the conditional
                                                    operation to perform. Valid operators
                                                    are: Equals, NotEquals, In, AnyIn,
                                                    AllIn, NotIn, AnyNotIn, AllNotIn,
                                                    GreaterThanOrEquals, GreaterThan,
                                                    LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                    DurationGreaterThan, DurationLessThanOrEquals,
                                                    DurationLessThan'
                                                  enum:
                                                  - Equals
                                                  - NotEquals
                                                  - In
                                                  - AnyIn
                                                  - AllIn
                                                  - NotIn
                                                  - AnyNotIn
                                                  - AllNotIn
                                                  - GreaterThanOrEquals
                                                  - GreaterThan
                                                  - LessThanOrEquals
                                                  - LessThan
                                                  - DurationGreaterThanOrEquals
                                                  - DurationGreaterThan
                                                  - DurationLessThanOrEquals
                                                  - DurationLessThan
                                                  type: string
                                                value:
                                                  description: Value is the conditional
                                                    value, or set of values. The values
                                                    can be fixed set or can be variables
                                                    declared using JMESPath.
                                                  x-kubernetes-preserve-unknown-fields: true
                                              type: object
                                            type: array
                                        type: object
                                      type: array
                                    predicateType:
                                      description: PredicateType defines the type
                                        of Predicate contained within the Statement.
                                        Deprecated in favour of 'Type', to be removed
                                        soon
                                      type: string
                                    type:
                                      description: Type defines the type of attestation
                                        contained within the Statement.
                                      type: string
                                  type: object
                                type: array
                              attestors:
                                description: Attestors specified the required attestors
                                  (i.e. authorities)
                                items:
                                  properties:
                                    count:
                                      description: Count specifies the required number
                                        of entries that must match. If the count is
                                        null, all entries must match (a logical AND).
                                        If the count is 1, at least one entry must
                                        match (a logical OR). If the count contains
                                        a value N, then N must be less than or equal
                                        to the size of entries, and at least N entries
                                        must match.
                                      minimum: 1
                                      type: integer
                                    entries:
                                      description: Entries contains the available
                                        attestors. An attestor can be a static key,
                                        attributes for keyless verification, or a
                                        nested attestor declaration.
                                      items:
                                        properties:
                                          annotations:
                                            additionalProperties:
                                              type: string
                                            description: Annotations are used for
                                              image verification. Every specified
                                              key-value pair must exist and match
                                              in the verified payload. The payload
                                              may contain other key-value pairs.
                                            type: object
                                          attestor:
                                            description: Attestor is a nested AttestorSet
                                              used to specify a more complex set of
                                              match authorities
                                            x-kubernetes-preserve-unknown-fields: true
                                          certificates:
                                            description: Certificates specifies one
                                              or more certificates
                                            properties:
                                              cert:
                                                description: Certificate is an optional
                                                  PEM encoded public certificate.
                                                type: string
                                              certChain:
                                                description: CertificateChain is an
                                                  optional PEM encoded set of certificates
                                                  used to verify
                                                type: string
                                              rekor:
                                                description: Rekor provides configuration
                                                  for the Rekor transparency log service.
                                                  If the value is nil, Rekor is not
                                                  checked. If an empty object is provided
                                                  the public instance of Rekor (https://rekor.sigstore.dev)
                                                  is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: IgnoreSCT requires
                                                      that a certificate contain an
                                                      embedded SCT during verification.
                                                      An SCT is proof of inclusion
                                                      in a certificate transparency
                                                      log.
                                                    type: boolean
                                                  ignoreTlog:
                                                    description: IgnoreTlog skip tlog
                                                      verification
                                                    type: boolean
                                                  pubkey:
                                                    description: RekorPubKey is an
                                                      optional PEM encoded public
                                                      key to use for a custom Rekor.
                                                      If set, is used to validate
                                                      signatures on log entries from
                                                      Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public log https://rekor.sigstore.dev.
                                                    type: string
                                                required:
                                                - url
                                                type: object
                                            type: object
                                          keyless:
                                            description: Keyless is a set of attribute
                                              used to verify a Sigstore keyless attestor.
                                              See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                            properties:
                                              additionalExtensions:
                                                additionalProperties:
                                                  type: string
                                                description: AdditionalExtensions
                                                  are certificate-extensions used
                                                  for keyless signing.
                                                type: object
                                              issuer:
                                                description: Issuer is the certificate
                                                  issuer used for keyless signing.
                                                type: string
                                              rekor:
                                                description: Rekor provides configuration
                                                  for the Rekor transparency log service.
                                                  If the value is nil, Rekor is not
                                                  checked and a root certificate chain
                                                  is expected instead. If an empty
                                                  object is provided the public instance
                                                  of Rekor (https://rekor.sigstore.dev)
                                                  is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: IgnoreSCT requires
                                                      that a certificate contain an
                                                      embedded SCT during verification.
                                                      An SCT is proof of inclusion
                                                      in a certificate transparency
                                                      log.
                                                    type: boolean
                                                  ignoreTlog:
                                                    description: IgnoreTlog skip tlog
                                                      verification
                                                    type: boolean
                                                  pubkey:
                                                    description: RekorPubKey is an
                                                      optional PEM encoded public
                                                      key to use for a custom Rekor.
                                                      If set, is used to validate
                                                      signatures on log entries from
                                                      Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public log https://rekor.sigstore.dev.
                                                    type: string
                                                required:
                                                - url
                                                type: object
                                              roots:
                                                description: Roots is an optional
                                                  set of PEM encoded trusted root
                                                  certificates. If not provided, the
                                                  system roots are used.
                                                type: string
                                              subject:
                                                description: Subject is the verified
                                                  identity used for keyless signing,
                                                  for example the email address
                                                type: string
                                            type: object
                                          keys:
                                            description: Keys specifies one or more
                                              public keys
                                            properties:
                                              kms:
                                                description: 'KMS provides the URI
                                                  to the public key stored in a Key
                                                  Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                                type: string
                                              publicKeys:
                                                description: Keys is a set of X.509
                                                  public keys used to verify image
                                                  signatures. The keys can be directly
                                                  specified or can be a variable reference
                                                  to a key specified in a ConfigMap
                                                  (see https://kyverno.io/docs/writing-policies/variables/),
                                                  or reference a standard Kubernetes
                                                  Secret elsewhere in the cluster
                                                  by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                  The named Secret must specify a
                                                  key `cosign.pub` containing the
                                                  public key used for verification,
                                                  (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                  When multiple keys are specified
                                                  each key is processed as a separate
                                                  staticKey entry (.attestors[*].entries.keys)
                                                  within the set of attestors and
                                                  the count is applied across the
                                                  keys.
                                                type: string
                                              rekor:
                                                description: Rekor provides configuration
                                                  for the Rekor transparency log service.
                                                  If the value is nil, or an empty
                                                  object is provided, the public instance
                                                  of Rekor (https://rekor.sigstore.dev)
                                                  is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: IgnoreSCT requires
                                                      that a certificate contain an
                                                      embedded SCT during verification.
                                                      An SCT is proof of inclusion
                                                      in a certificate transparency
                                                      log.
                                                    type: boolean
                                                  ignoreTlog:
                                                    description: IgnoreTlog skip tlog
                                                      verification
                                                    type: boolean
                                                  pubkey:
                                                    description: RekorPubKey is an
                                                      optional PEM encoded public
                                                      key to use for a custom Rekor.
                                                      If set, is used to validate
                                                      signatures on log entries from
                                                      Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public log https://rekor.sigstore.dev.
                                                    type: string
                                                required:
                                                - url
                                                type: object
                                              secret:
                                                description: Reference to a Secret
                                                  resource that contains a public
                                                  key
                                                properties:
                                                  name:
                                                    description: Name of the secret.
                                                      The provided secret must contain
                                                      a key named cosign.pub.
                                                    type: string
                                                  namespace:
                                                    description: Namespace name where
                                                      the Secret exists.
                                                    type: string
                                                required:
                                                - name
                                                - namespace
                                                type: object
                                              signatureAlgorithm:
                                                default: sha256
                                                description: Specify signature algorithm
                                                  for public keys. Supported values
                                                  are sha256 and sha512
                                                type: string
                                            type: object
                                          repository:
                                            description: Repository is an optional
                                              alternate OCI repository to use for
                                              signatures and attestations that match
                                              this rule. If specified Repository will
                                              override other OCI image repository
                                              locations for this Attestor.
                                            type: string
                                        type: object
                                      type: array
                                  type: object
                                type: array
                              image:
                                description: 'Image is the image name consisting of
                                  the registry address, repository, image, and tag.
                                  Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                                  Deprecated. Use ImageReferences instead.'
                                type: string
                              imageReferences:
                                description: 'ImageReferences is a list of matching
                                  image reference patterns. At least one pattern in
                                  the list must match the image for the rule to apply.
                                  Each image reference consists of a registry address
                                  (defaults to docker.io), repository, image, and
                                  tag (defaults to latest). Wildcards (''*'' and ''?'')
                                  are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
                                items:
                                  type: string
                                type: array
                              imageRegistryCredentials:
                                description: ImageRegistryCredentials provides credentials
                                  that will be used for authentication with registry
                                properties:
                                  allowInsecureRegistry:
                                    description: AllowInsecureRegistry allows insecure
                                      access to a registry
                                    type: boolean
                                  providers:
                                    description: 'Providers specifies a list of OCI
                                      Registry names, whose authentication providers
                                      are provided It can be of one of these values:
                                      AWS, ACR, GCP, GHCR'
                                    items:
                                      description: ImageRegistryCredentialsProvidersType
                                        provides the list of credential providers
                                        required.
                                      enum:
                                      - default
                                      - amazon
                                      - azure
                                      - google
                                      - github
                                      type: string
                                    type: array
                                  secrets:
                                    description: Secrets specifies a list of secrets
                                      that are provided for credentials Secrets must
                                      live in the Kyverno namespace
                                    items:
                                      type: string
                                    type: array
                                type: object
                              issuer:
                                description: Issuer is the certificate issuer used
                                  for keyless signing. Deprecated. Use KeylessAttestor
                                  instead.
                                type: string
                              key:
                                description: Key is the PEM encoded public key that
                                  the image or attestation is signed with. Deprecated.
                                  Use StaticKeyAttestor instead.
                                type: string
                              mutateDigest:
                                default: true
                                description: MutateDigest enables replacement of image
                                  tags with digests. Defaults to true.
                                type: boolean
                              repository:
                                description: Repository is an optional alternate OCI
                                  repository to use for image signatures and attestations
                                  that match this rule. If specified Repository will
                                  override the default OCI image repository configured
                                  for the installation. The repository can also be
                                  overridden per Attestor or Attestation.
                                type: string
                              required:
                                default: true
                                description: Required validates that images are verified
                                  i.e. have matched passed a signature or attestation
                                  check.
                                type: boolean
                              roots:
                                description: Roots is the PEM encoded Root certificate
                                  chain used for keyless signing Deprecated. Use KeylessAttestor
                                  instead.
                                type: string
                              subject:
                                description: Subject is the identity used for keyless
                                  signing, for example an email address Deprecated.
                                  Use KeylessAttestor instead.
                                type: string
                              type:
                                description: Type specifies the method of signature
                                  validation. The allowed options are Cosign and Notary.
                                  By default Cosign is used if a type is not specified.
                                enum:
                                - Cosign
                                - Notary
                                type: string
                              useCache:
                                default: true
                                description: UseCache enables caching of image verify
                                  responses for this rule
                                type: boolean
                              verifyDigest:
                                default: true
                                description: VerifyDigest validates that images have
                                  a digest.
                                type: boolean
                            type: object
                          type: array
                      required:
                      - name
                      type: object
                    type: array
                type: object
              conditions:
                description: Conditions is a list of conditions that apply to the
                  policy
                items:
                  description: "Condition contains details for one aspect of the current
                    state of this API Resource. --- This struct is intended for direct
                    use as an array at the field path .status.conditions.  For example,
                    \n type FooStatus struct{ // Represents the observations of a
                    foo's current state. // Known .status.conditions.type are: \"Available\",
                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
                  properties:
                    lastTransitionTime:
                      description: lastTransitionTime is the last time the condition
                        transitioned from one status to another. This should be when
                        the underlying condition changed.  If that is not known, then
                        using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: message is a human readable message indicating
                        details about the transition. This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
                      description: observedGeneration represents the .metadata.generation
                        that the condition was set based upon. For instance, if .metadata.generation
                        is currently 12, but the .status.conditions[x].observedGeneration
                        is 9, the condition is out of date with respect to the current
                        state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
                      description: reason contains a programmatic identifier indicating
                        the reason for the condition's last transition. Producers
                        of specific condition types may define expected values and
                        meanings for this field, and whether the values are considered
                        a guaranteed API. The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
                      enum:
                      - "True"
                      - "False"
                      - Unknown
                      type: string
                    type:
                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
                        --- Many .condition.type values are consistent across resources
                        like Available, but because arbitrary conditions can be useful
                        (see .node.status.conditions), the ability to deconflict is
                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
                  required:
                  - lastTransitionTime
                  - message
                  - reason
                  - status
                  - type
                  type: object
                type: array
              ready:
                description: Ready indicates if the policy is ready to serve the admission
                  request. Deprecated in favor of Conditions
                type: boolean
              rulecount:
                description: RuleCount describes total number of rules in a policy
                properties:
                  generate:
                    description: Count for generate rules in policy
                    type: integer
                  mutate:
                    description: Count for mutate rules in policy
                    type: integer
                  validate:
                    description: Count for validate rules in policy
                    type: integer
                  verifyimages:
                    description: Count for verify image rules in policy
                    type: integer
                required:
                - generate
                - mutate
                - validate
                - verifyimages
                type: object
            required:
            - ready
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
  - additionalPrinterColumns:
    - jsonPath: .spec.admission
      name: ADMISSION
      type: boolean
    - jsonPath: .spec.background
      name: BACKGROUND
      type: boolean
    - jsonPath: .spec.validationFailureAction
      name: VALIDATE ACTION
      type: string
    - jsonPath: .status.conditions[?(@.type == "Ready")].status
      name: READY
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: AGE
      type: date
    - jsonPath: .spec.failurePolicy
      name: FAILURE POLICY
      priority: 1
      type: string
    - jsonPath: .status.rulecount.validate
      name: VALIDATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.mutate
      name: MUTATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.generate
      name: GENERATE
      priority: 1
      type: integer
    - jsonPath: .status.rulecount.verifyimages
      name: VERIFY IMAGES
      priority: 1
      type: integer
    - jsonPath: .status.conditions[?(@.type == "Ready")].message
      name: MESSAGE
      type: string
    name: v2beta1
    schema:
      openAPIV3Schema:
        description: 'Policy declares validation, mutation, and generation behaviors
          for matching resources. See: https://kyverno.io/docs/writing-policies/ for
          more information.'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: Spec defines policy behaviors and contains one or more rules.
            properties:
              admission:
                default: true
                description: Admission controls if rules are applied during admission.
                  Optional. Default value is "true".
                type: boolean
              applyRules:
                description: ApplyRules controls how rules in a policy are applied.
                  Rule are processed in the order of declaration. When set to `One`
                  processing stops after a rule has been applied i.e. the rule matches
                  and results in a pass, fail, or error. When set to `All` all rules
                  in the policy are processed. The default is `All`.
                enum:
                - All
                - One
                type: string
              background:
                default: true
                description: Background controls if rules are applied to existing
                  resources during a background scan. Optional. Default value is "true".
                  The value must be set to "false" if the policy rule uses variables
                  that are only available in the admission review request (e.g. user
                  name).
                type: boolean
              failurePolicy:
                description: FailurePolicy defines how unexpected policy errors and
                  webhook response timeout errors are handled. Rules within the same
                  policy share the same failure behavior. Allowed values are Ignore
                  or Fail. Defaults to Fail.
                enum:
                - Ignore
                - Fail
                type: string
              generateExisting:
                description: GenerateExisting controls whether to trigger generate
                  rule in existing resources If is set to "true" generate rule will
                  be triggered and applied to existing matched resources. Defaults
                  to "false" if not specified.
                type: boolean
              generateExistingOnPolicyUpdate:
                description: Deprecated, use generateExisting instead
                type: boolean
              mutateExistingOnPolicyUpdate:
                description: MutateExistingOnPolicyUpdate controls if a mutateExisting
                  policy is applied on policy events. Default value is "false".
                type: boolean
              rules:
                description: Rules is a list of Rule instances. A Policy contains
                  multiple rules and each rule can validate, mutate, or generate resources.
                items:
                  description: Rule defines a validation, mutation, or generation
                    control for matching resources. Each rules contains a match declaration
                    to select resources, and an optional exclude declaration to specify
                    which resources to exclude.
                  properties:
                    celPreconditions:
                      description: CELPreconditions are used to determine if a policy
                        rule should be applied by evaluating a set of CEL conditions.
                        It can only be used with the validate.cel subrule
                      items:
                        description: MatchCondition represents a condition which must
                          by fulfilled for a request to be sent to a webhook.
                        properties:
                          expression:
                            description: "Expression represents the expression which
                              will be evaluated by CEL. Must evaluate to bool. CEL
                              expressions have access to the contents of the AdmissionRequest
                              and Authorizer, organized into CEL variables: \n 'object'
                              - The object from the incoming request. The value is
                              null for DELETE requests. 'oldObject' - The existing
                              object. The value is null for CREATE requests. 'request'
                              - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
                              'authorizer' - A CEL Authorizer. May be used to perform
                              authorization checks for the principal (user or service
                              account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                              'authorizer.requestResource' - A CEL ResourceCheck constructed
                              from the 'authorizer' and configured with the request
                              resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
                              \n Required."
                            type: string
                          name:
                            description: "Name is an identifier for this match condition,
                              used for strategic merging of MatchConditions, as well
                              as providing an identifier for logging purposes. A good
                              name should be descriptive of the associated expression.
                              Name must be a qualified name consisting of alphanumeric
                              characters, '-', '_' or '.', and must start and end
                              with an alphanumeric character (e.g. 'MyName',  or 'my.name',
                              \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
                              with an optional DNS subdomain prefix and '/' (e.g.
                              'example.com/MyName') \n Required."
                            type: string
                        required:
                        - expression
                        - name
                        type: object
                      type: array
                    context:
                      description: Context defines variables and data sources that
                        can be used during rule execution.
                      items:
                        description: ContextEntry adds variables and data sources
                          to a rule Context. Either a ConfigMap reference or a APILookup
                          must be provided.
                        properties:
                          apiCall:
                            description: APICall is an HTTP request to the Kubernetes
                              API server, or other JSON web service. The data returned
                              is stored in the context with the name for the context
                              entry.
                            properties:
                              data:
                                description: Data specifies the POST data sent to
                                  the server.
                                items:
                                  description: RequestData contains the HTTP POST
                                    data
                                  properties:
                                    key:
                                      description: Key is a unique identifier for
                                        the data value
                                      type: string
                                    value:
                                      description: Value is the data value
                                      x-kubernetes-preserve-unknown-fields: true
                                  required:
                                  - key
                                  - value
                                  type: object
                                type: array
                              jmesPath:
                                description: JMESPath is an optional JSON Match Expression
                                  that can be used to transform the JSON response
                                  returned from the server. For example a JMESPath
                                  of "items | length(@)" applied to the API server
                                  response for the URLPath "/apis/apps/v1/deployments"
                                  will return the total count of deployments across
                                  all namespaces.
                                type: string
                              method:
                                default: GET
                                description: Method is the HTTP request type (GET
                                  or POST).
                                enum:
                                - GET
                                - POST
                                type: string
                              service:
                                description: Service is an API call to a JSON web
                                  service
                                properties:
                                  caBundle:
                                    description: CABundle is a PEM encoded CA bundle
                                      which will be used to validate the server certificate.
                                    type: string
                                  url:
                                    description: URL is the JSON web service URL.
                                      A typical form is `https://{service}.{namespace}:{port}/{path}`.
                                    type: string
                                required:
                                - url
                                type: object
                              urlPath:
                                description: URLPath is the URL path to be used in
                                  the HTTP GET or POST request to the Kubernetes API
                                  server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                  The format required is the same format used by the
                                  `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                  for details.
                                type: string
                            type: object
                          configMap:
                            description: ConfigMap is the ConfigMap reference.
                            properties:
                              name:
                                description: Name is the ConfigMap name.
                                type: string
                              namespace:
                                description: Namespace is the ConfigMap namespace.
                                type: string
                            required:
                            - name
                            type: object
                          imageRegistry:
                            description: ImageRegistry defines requests to an OCI/Docker
                              V2 registry to fetch image details.
                            properties:
                              imageRegistryCredentials:
                                description: ImageRegistryCredentials provides credentials
                                  that will be used for authentication with registry
                                properties:
                                  allowInsecureRegistry:
                                    description: AllowInsecureRegistry allows insecure
                                      access to a registry
                                    type: boolean
                                  providers:
                                    description: 'Providers specifies a list of OCI
                                      Registry names, whose authentication providers
                                      are provided It can be of one of these values:
                                      AWS, ACR, GCP, GHCR'
                                    items:
                                      description: ImageRegistryCredentialsProvidersType
                                        provides the list of credential providers
                                        required.
                                      enum:
                                      - default
                                      - amazon
                                      - azure
                                      - google
                                      - github
                                      type: string
                                    type: array
                                  secrets:
                                    description: Secrets specifies a list of secrets
                                      that are provided for credentials Secrets must
                                      live in the Kyverno namespace
                                    items:
                                      type: string
                                    type: array
                                type: object
                              jmesPath:
                                description: JMESPath is an optional JSON Match Expression
                                  that can be used to transform the ImageData struct
                                  returned as a result of processing the image reference.
                                type: string
                              reference:
                                description: 'Reference is image reference to a container
                                  image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
                                type: string
                            required:
                            - reference
                            type: object
                          name:
                            description: Name is the variable name.
                            type: string
                          variable:
                            description: Variable defines an arbitrary JMESPath context
                              variable that can be defined inline.
                            properties:
                              default:
                                description: Default is an optional arbitrary JSON
                                  object that the variable may take if the JMESPath
                                  expression evaluates to nil
                                x-kubernetes-preserve-unknown-fields: true
                              jmesPath:
                                description: JMESPath is an optional JMESPath Expression
                                  that can be used to transform the variable.
                                type: string
                              value:
                                description: Value is any arbitrary JSON object representable
                                  in YAML or JSON form.
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                        type: object
                      type: array
                    exclude:
                      description: ExcludeResources defines when this policy rule
                        should not be applied. The exclude criteria can include resource
                        information (e.g. kind, name, namespace, labels) and admission
                        review request information like the name or role.
                      properties:
                        all:
                          description: All allows specifying resources which will
                            be ANDed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: Annotations is a  map of annotations
                                      (key-value pairs of type string). Annotation
                                      keys and values support the wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: 'Name is the name of the resource.
                                      The name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character). NOTE: "Name" is being deprecated
                                      in favor of "Names".'
                                    type: string
                                  names:
                                    description: Names are the names of the resources.
                                      Each name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: 'NamespaceSelector is a label selector
                                      for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters
                                      `*` (matches zero or many characters) and `?`
                                      (matches one character).Wildcards allows writing
                                      label selectors like ["storage.k8s.io/*": "*"].
                                      Note that using ["*" : "*"] matches any key
                                      and value but does not match an empty label
                                      set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: Namespaces is a list of namespaces
                                      names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: 'Selector is a label selector. Label
                                      keys and values in `matchLabels` support the
                                      wildcard characters `*` (matches zero or many
                                      characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
                                      : "*"] matches any key and value but does not
                                      match an empty label set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: Subject contains a reference to the
                                    object or user identities a role binding applies
                                    to.  This can either hold a direct API object
                                    reference, or a value for non-objects such as
                                    user and group names.
                                  properties:
                                    apiGroup:
                                      description: APIGroup holds the API group of
                                        the referenced subject. Defaults to "" for
                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
                                        for User and Group subjects.
                                      type: string
                                    kind:
                                      description: Kind of object being referenced.
                                        Values defined by this API group are "User",
                                        "Group", and "ServiceAccount". If the Authorizer
                                        does not recognized the kind value, the Authorizer
                                        should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: Namespace of the referenced object.  If
                                        the object kind is non-namespace, such as
                                        "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        any:
                          description: Any allows specifying resources which will
                            be ORed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: Annotations is a  map of annotations
                                      (key-value pairs of type string). Annotation
                                      keys and values support the wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: 'Name is the name of the resource.
                                      The name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character). NOTE: "Name" is being deprecated
                                      in favor of "Names".'
                                    type: string
                                  names:
                                    description: Names are the names of the resources.
                                      Each name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: 'NamespaceSelector is a label selector
                                      for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters
                                      `*` (matches zero or many characters) and `?`
                                      (matches one character).Wildcards allows writing
                                      label selectors like ["storage.k8s.io/*": "*"].
                                      Note that using ["*" : "*"] matches any key
                                      and value but does not match an empty label
                                      set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: Namespaces is a list of namespaces
                                      names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: 'Selector is a label selector. Label
                                      keys and values in `matchLabels` support the
                                      wildcard characters `*` (matches zero or many
                                      characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
                                      : "*"] matches any key and value but does not
                                      match an empty label set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: Subject contains a reference to the
                                    object or user identities a role binding applies
                                    to.  This can either hold a direct API object
                                    reference, or a value for non-objects such as
                                    user and group names.
                                  properties:
                                    apiGroup:
                                      description: APIGroup holds the API group of
                                        the referenced subject. Defaults to "" for
                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
                                        for User and Group subjects.
                                      type: string
                                    kind:
                                      description: Kind of object being referenced.
                                        Values defined by this API group are "User",
                                        "Group", and "ServiceAccount". If the Authorizer
                                        does not recognized the kind value, the Authorizer
                                        should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: Namespace of the referenced object.  If
                                        the object kind is non-namespace, such as
                                        "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                      type: object
                    generate:
                      description: Generation is used to create new resources.
                      properties:
                        apiVersion:
                          description: APIVersion specifies resource apiVersion.
                          type: string
                        clone:
                          description: Clone specifies the source resource used to
                            populate each generated resource. At most one of Data
                            or Clone can be specified. If neither are provided, the
                            generated resource will be created with default data only.
                          properties:
                            name:
                              description: Name specifies name of the resource.
                              type: string
                            namespace:
                              description: Namespace specifies source resource namespace.
                              type: string
                          type: object
                        cloneList:
                          description: CloneList specifies the list of source resource
                            used to populate each generated resource.
                          properties:
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            namespace:
                              description: Namespace specifies source resource namespace.
                              type: string
                            selector:
                              description: Selector is a label selector. Label keys
                                and values in `matchLabels`. wildcard characters are
                                not supported.
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        data:
                          description: Data provides the resource declaration used
                            to populate each generated resource. At most one of Data
                            or Clone must be specified. If neither are provided, the
                            generated resource will be created with default data only.
                          x-kubernetes-preserve-unknown-fields: true
                        kind:
                          description: Kind specifies resource kind.
                          type: string
                        name:
                          description: Name specifies the resource name.
                          type: string
                        namespace:
                          description: Namespace specifies resource namespace.
                          type: string
                        synchronize:
                          description: Synchronize controls if generated resources
                            should be kept in-sync with their source resource. If
                            Synchronize is set to "true" changes to generated resources
                            will be overwritten with resource data from Data or the
                            resource specified in the Clone declaration. Optional.
                            Defaults to "false" if not specified.
                          type: boolean
                      type: object
                    imageExtractors:
                      additionalProperties:
                        items:
                          properties:
                            jmesPath:
                              description: 'JMESPath is an optional JMESPath expression
                                to apply to the image value. This is useful when the
                                extracted image begins with a prefix like ''docker://''.
                                The ''trim_prefix'' function may be used to trim the
                                prefix: trim_prefix(@, ''docker://''). Note - Image
                                digest mutation may not be used when applying a JMESPAth
                                to an image.'
                              type: string
                            key:
                              description: Key is an optional name of the field within
                                'path' that will be used to uniquely identify an image.
                                Note - this field MUST be unique.
                              type: string
                            name:
                              description: Name is the entry the image will be available
                                under 'images.<name>' in the context. If this field
                                is not defined, image entries will appear under 'images.custom'.
                              type: string
                            path:
                              description: Path is the path to the object containing
                                the image field in a custom resource. It should be
                                slash-separated. Each slash-separated key must be
                                a valid YAML key or a wildcard '*'. Wildcard keys
                                are expanded in case of arrays or objects.
                              type: string
                            value:
                              description: Value is an optional name of the field
                                within 'path' that points to the image URI. This is
                                useful when a custom 'key' is also defined.
                              type: string
                          required:
                          - path
                          type: object
                        type: array
                      description: ImageExtractors defines a mapping from kinds to
                        ImageExtractorConfigs. This config is only valid for verifyImages
                        rules.
                      type: object
                    match:
                      description: MatchResources defines when this policy rule should
                        be applied. The match criteria can include resource information
                        (e.g. kind, name, namespace, labels) and admission review
                        request information like the user name or role. At least one
                        kind is required.
                      properties:
                        all:
                          description: All allows specifying resources which will
                            be ANDed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: Annotations is a  map of annotations
                                      (key-value pairs of type string). Annotation
                                      keys and values support the wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: 'Name is the name of the resource.
                                      The name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character). NOTE: "Name" is being deprecated
                                      in favor of "Names".'
                                    type: string
                                  names:
                                    description: Names are the names of the resources.
                                      Each name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: 'NamespaceSelector is a label selector
                                      for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters
                                      `*` (matches zero or many characters) and `?`
                                      (matches one character).Wildcards allows writing
                                      label selectors like ["storage.k8s.io/*": "*"].
                                      Note that using ["*" : "*"] matches any key
                                      and value but does not match an empty label
                                      set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: Namespaces is a list of namespaces
                                      names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: 'Selector is a label selector. Label
                                      keys and values in `matchLabels` support the
                                      wildcard characters `*` (matches zero or many
                                      characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
                                      : "*"] matches any key and value but does not
                                      match an empty label set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: Subject contains a reference to the
                                    object or user identities a role binding applies
                                    to.  This can either hold a direct API object
                                    reference, or a value for non-objects such as
                                    user and group names.
                                  properties:
                                    apiGroup:
                                      description: APIGroup holds the API group of
                                        the referenced subject. Defaults to "" for
                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
                                        for User and Group subjects.
                                      type: string
                                    kind:
                                      description: Kind of object being referenced.
                                        Values defined by this API group are "User",
                                        "Group", and "ServiceAccount". If the Authorizer
                                        does not recognized the kind value, the Authorizer
                                        should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: Namespace of the referenced object.  If
                                        the object kind is non-namespace, such as
                                        "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                        any:
                          description: Any allows specifying resources which will
                            be ORed
                          items:
                            description: ResourceFilter allow users to "AND" or "OR"
                              between resources
                            properties:
                              clusterRoles:
                                description: ClusterRoles is the list of cluster-wide
                                  role names for the user.
                                items:
                                  type: string
                                type: array
                              resources:
                                description: ResourceDescription contains information
                                  about the resource being created or modified.
                                properties:
                                  annotations:
                                    additionalProperties:
                                      type: string
                                    description: Annotations is a  map of annotations
                                      (key-value pairs of type string). Annotation
                                      keys and values support the wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (matches at least one character).
                                    type: object
                                  kinds:
                                    description: Kinds is a list of resource kinds.
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: 'Name is the name of the resource.
                                      The name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character). NOTE: "Name" is being deprecated
                                      in favor of "Names".'
                                    type: string
                                  names:
                                    description: Names are the names of the resources.
                                      Each name supports wildcard characters "*" (matches
                                      zero or many characters) and "?" (at least one
                                      character).
                                    items:
                                      type: string
                                    type: array
                                  namespaceSelector:
                                    description: 'NamespaceSelector is a label selector
                                      for the resource namespace. Label keys and values
                                      in `matchLabels` support the wildcard characters
                                      `*` (matches zero or many characters) and `?`
                                      (matches one character).Wildcards allows writing
                                      label selectors like ["storage.k8s.io/*": "*"].
                                      Note that using ["*" : "*"] matches any key
                                      and value but does not match an empty label
                                      set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                  namespaces:
                                    description: Namespaces is a list of namespaces
                                      names. Each name supports wildcard characters
                                      "*" (matches zero or many characters) and "?"
                                      (at least one character).
                                    items:
                                      type: string
                                    type: array
                                  operations:
                                    description: Operations can contain values ["CREATE,
                                      "UPDATE", "CONNECT", "DELETE"], which are used
                                      to match a specific action.
                                    items:
                                      description: AdmissionOperation can have one
                                        of the values CREATE, UPDATE, CONNECT, DELETE,
                                        which are used to match a specific action.
                                      enum:
                                      - CREATE
                                      - CONNECT
                                      - UPDATE
                                      - DELETE
                                      type: string
                                    type: array
                                  selector:
                                    description: 'Selector is a label selector. Label
                                      keys and values in `matchLabels` support the
                                      wildcard characters `*` (matches zero or many
                                      characters) and `?` (matches one character).
                                      Wildcards allows writing label selectors like
                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
                                      : "*"] matches any key and value but does not
                                      match an empty label set.'
                                    properties:
                                      matchExpressions:
                                        description: matchExpressions is a list of
                                          label selector requirements. The requirements
                                          are ANDed.
                                        items:
                                          description: A label selector requirement
                                            is a selector that contains values, a
                                            key, and an operator that relates the
                                            key and values.
                                          properties:
                                            key:
                                              description: key is the label key that
                                                the selector applies to.
                                              type: string
                                            operator:
                                              description: operator represents a key's
                                                relationship to a set of values. Valid
                                                operators are In, NotIn, Exists and
                                                DoesNotExist.
                                              type: string
                                            values:
                                              description: values is an array of string
                                                values. If the operator is In or NotIn,
                                                the values array must be non-empty.
                                                If the operator is Exists or DoesNotExist,
                                                the values array must be empty. This
                                                array is replaced during a strategic
                                                merge patch.
                                              items:
                                                type: string
                                              type: array
                                          required:
                                          - key
                                          - operator
                                          type: object
                                        type: array
                                      matchLabels:
                                        additionalProperties:
                                          type: string
                                        description: matchLabels is a map of {key,value}
                                          pairs. A single {key,value} in the matchLabels
                                          map is equivalent to an element of matchExpressions,
                                          whose key field is "key", the operator is
                                          "In", and the values array contains only
                                          "value". The requirements are ANDed.
                                        type: object
                                    type: object
                                    x-kubernetes-map-type: atomic
                                type: object
                              roles:
                                description: Roles is the list of namespaced role
                                  names for the user.
                                items:
                                  type: string
                                type: array
                              subjects:
                                description: Subjects is the list of subject names
                                  like users, user groups, and service accounts.
                                items:
                                  description: Subject contains a reference to the
                                    object or user identities a role binding applies
                                    to.  This can either hold a direct API object
                                    reference, or a value for non-objects such as
                                    user and group names.
                                  properties:
                                    apiGroup:
                                      description: APIGroup holds the API group of
                                        the referenced subject. Defaults to "" for
                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
                                        for User and Group subjects.
                                      type: string
                                    kind:
                                      description: Kind of object being referenced.
                                        Values defined by this API group are "User",
                                        "Group", and "ServiceAccount". If the Authorizer
                                        does not recognized the kind value, the Authorizer
                                        should report an error.
                                      type: string
                                    name:
                                      description: Name of the object being referenced.
                                      type: string
                                    namespace:
                                      description: Namespace of the referenced object.  If
                                        the object kind is non-namespace, such as
                                        "User" or "Group", and this value is not empty
                                        the Authorizer should report an error.
                                      type: string
                                  required:
                                  - kind
                                  - name
                                  type: object
                                  x-kubernetes-map-type: atomic
                                type: array
                            type: object
                          type: array
                      type: object
                    mutate:
                      description: Mutation is used to modify matching resources.
                      properties:
                        foreach:
                          description: ForEach applies mutation rules to a list of
                            sub-elements by creating a context for each entry in the
                            list and looping over it to apply the specified logic.
                          items:
                            description: ForEachMutation applies mutation rules to
                              a list of sub-elements by creating a context for each
                              entry in the list and looping over it to apply the specified
                              logic.
                            properties:
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: ContextEntry adds variables and data
                                    sources to a rule Context. Either a ConfigMap
                                    reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: APICall is an HTTP request to the
                                        Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context
                                        with the name for the context entry.
                                      properties:
                                        data:
                                          description: Data specifies the POST data
                                            sent to the server.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the JSON response returned from the server.
                                            For example a JMESPath of "items | length(@)"
                                            applied to the API server response for
                                            the URLPath "/apis/apps/v1/deployments"
                                            will return the total count of deployments
                                            across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST).
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: Service is an API call to a
                                            JSON web service
                                          properties:
                                            caBundle:
                                              description: CABundle is a PEM encoded
                                                CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: URL is the JSON web service
                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: URLPath is the URL path to
                                            be used in the HTTP GET or POST request
                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
                                            or  "/apis/apps/v1/deployments"). The
                                            format required is the same format used
                                            by the `kubectl get --raw` command. See
                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    imageRegistry:
                                      description: ImageRegistry defines requests
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry
                                              type: boolean
                                            providers:
                                              description: 'Providers specifies a
                                                list of OCI Registry names, whose
                                                authentication providers are provided
                                                It can be of one of these values:
                                                AWS, ACR, GCP, GHCR'
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: Secrets specifies a list
                                                of secrets that are provided for credentials
                                                Secrets must live in the Kyverno namespace
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the ImageData struct returned as a result
                                            of processing the image reference.
                                          type: string
                                        reference:
                                          description: 'Reference is image reference
                                            to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest'
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: Default is an optional arbitrary
                                            JSON object that the variable may take
                                            if the JMESPath expression evaluates to
                                            nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: JMESPath is an optional JMESPath
                                            Expression that can be used to transform
                                            the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              foreach:
                                description: Foreach declares a nested foreach iterator
                                x-kubernetes-preserve-unknown-fields: true
                              list:
                                description: List specifies a JMESPath expression
                                  that results in one or more elements to which the
                                  validation logic is applied.
                                type: string
                              order:
                                description: Order defines the iteration order on
                                  the list. Can be Ascending to iterate from first
                                  to last element or Descending to iterate in from
                                  last to first element.
                                enum:
                                - Ascending
                                - Descending
                                type: string
                              patchStrategicMerge:
                                description: PatchStrategicMerge is a strategic merge
                                  patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                  and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                                x-kubernetes-preserve-unknown-fields: true
                              patchesJson6902:
                                description: PatchesJSON6902 is a list of RFC 6902
                                  JSON Patch declarations used to modify resources.
                                  See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                                type: string
                              preconditions:
                                description: 'AnyAllConditions are used to determine
                                  if a policy rule should be applied by evaluating
                                  a set of conditions. The declaration can contain
                                  nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
                                properties:
                                  all:
                                    description: AllConditions enable variable-based
                                      conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A
                                      condition can reference object data using JMESPath
                                      notation. Here, all of the conditions need to
                                      pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: 'Operator is the conditional
                                            operation to perform. Valid operators
                                            are: Equals, NotEquals, In, AnyIn, AllIn,
                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan,
                                            DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan'
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: Value is the conditional value,
                                            or set of values. The values can be fixed
                                            set or can be variables declared using
                                            JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                  any:
                                    description: AnyConditions enable variable-based
                                      conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A
                                      condition can reference object data using JMESPath
                                      notation. Here, at least one of the conditions
                                      need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: 'Operator is the conditional
                                            operation to perform. Valid operators
                                            are: Equals, NotEquals, In, AnyIn, AllIn,
                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan,
                                            DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan'
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: Value is the conditional value,
                                            or set of values. The values can be fixed
                                            set or can be variables declared using
                                            JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                type: object
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                        patchStrategicMerge:
                          description: PatchStrategicMerge is a strategic merge patch
                            used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                          x-kubernetes-preserve-unknown-fields: true
                        patchesJson6902:
                          description: PatchesJSON6902 is a list of RFC 6902 JSON
                            Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                          type: string
                        targets:
                          description: Targets defines the target resources to be
                            mutated.
                          items:
                            description: TargetResourceSpec defines targets for mutating
                              existing resources.
                            properties:
                              apiVersion:
                                description: APIVersion specifies resource apiVersion.
                                type: string
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: ContextEntry adds variables and data
                                    sources to a rule Context. Either a ConfigMap
                                    reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: APICall is an HTTP request to the
                                        Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context
                                        with the name for the context entry.
                                      properties:
                                        data:
                                          description: Data specifies the POST data
                                            sent to the server.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the JSON response returned from the server.
                                            For example a JMESPath of "items | length(@)"
                                            applied to the API server response for
                                            the URLPath "/apis/apps/v1/deployments"
                                            will return the total count of deployments
                                            across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST).
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: Service is an API call to a
                                            JSON web service
                                          properties:
                                            caBundle:
                                              description: CABundle is a PEM encoded
                                                CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: URL is the JSON web service
                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: URLPath is the URL path to
                                            be used in the HTTP GET or POST request
                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
                                            or  "/apis/apps/v1/deployments"). The
                                            format required is the same format used
                                            by the `kubectl get --raw` command. See
                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    imageRegistry:
                                      description: ImageRegistry defines requests
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry
                                              type: boolean
                                            providers:
                                              description: 'Providers specifies a
                                                list of OCI Registry names, whose
                                                authentication providers are provided
                                                It can be of one of these values:
                                                AWS, ACR, GCP, GHCR'
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: Secrets specifies a list
                                                of secrets that are provided for credentials
                                                Secrets must live in the Kyverno namespace
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the ImageData struct returned as a result
                                            of processing the image reference.
                                          type: string
                                        reference:
                                          description: 'Reference is image reference
                                            to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest'
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: Default is an optional arbitrary
                                            JSON object that the variable may take
                                            if the JMESPath expression evaluates to
                                            nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: JMESPath is an optional JMESPath
                                            Expression that can be used to transform
                                            the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              kind:
                                description: Kind specifies resource kind.
                                type: string
                              name:
                                description: Name specifies the resource name.
                                type: string
                              namespace:
                                description: Namespace specifies resource namespace.
                                type: string
                              preconditions:
                                description: 'Preconditions are used to determine
                                  if a policy rule should be applied by evaluating
                                  a set of conditions. The declaration can contain
                                  nested `any` or `all` statements. A direct list
                                  of conditions (without `any` or `all` statements
                                  is supported for backwards compatibility but will
                                  be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                      type: object
                    name:
                      description: Name is a label to identify the rule, It must be
                        unique within the policy.
                      maxLength: 63
                      type: string
                    preconditions:
                      description: 'Preconditions are used to determine if a policy
                        rule should be applied by evaluating a set of conditions.
                        The declaration can contain nested `any` or `all` statements.
                        A direct list of conditions (without `any` or `all` statements
                        is supported for backwards compatibility but See: https://kyverno.io/docs/writing-policies/preconditions/'
                      properties:
                        all:
                          description: AllConditions enable variable-based conditional
                            rule execution. This is useful for finer control of when
                            an rule is applied. A condition can reference object data
                            using JMESPath notation. Here, all of the conditions need
                            to pass.
                          items:
                            properties:
                              key:
                                description: Key is the context entry (using JMESPath)
                                  for conditional rule evaluation.
                                x-kubernetes-preserve-unknown-fields: true
                              message:
                                description: Message is an optional display message
                                type: string
                              operator:
                                description: 'Operator is the conditional operation
                                  to perform. Valid operators are: Equals, NotEquals,
                                  In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                  GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                  DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
                                enum:
                                - Equals
                                - NotEquals
                                - AnyIn
                                - AllIn
                                - AnyNotIn
                                - AllNotIn
                                - GreaterThanOrEquals
                                - GreaterThan
                                - LessThanOrEquals
                                - LessThan
                                - DurationGreaterThanOrEquals
                                - DurationGreaterThan
                                - DurationLessThanOrEquals
                                - DurationLessThan
                                type: string
                              value:
                                description: Value is the conditional value, or set
                                  of values. The values can be fixed set or can be
                                  variables declared using JMESPath.
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                        any:
                          description: AnyConditions enable variable-based conditional
                            rule execution. This is useful for finer control of when
                            an rule is applied. A condition can reference object data
                            using JMESPath notation. Here, at least one of the conditions
                            need to pass.
                          items:
                            properties:
                              key:
                                description: Key is the context entry (using JMESPath)
                                  for conditional rule evaluation.
                                x-kubernetes-preserve-unknown-fields: true
                              message:
                                description: Message is an optional display message
                                type: string
                              operator:
                                description: 'Operator is the conditional operation
                                  to perform. Valid operators are: Equals, NotEquals,
                                  In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                  GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                  DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
                                enum:
                                - Equals
                                - NotEquals
                                - AnyIn
                                - AllIn
                                - AnyNotIn
                                - AllNotIn
                                - GreaterThanOrEquals
                                - GreaterThan
                                - LessThanOrEquals
                                - LessThan
                                - DurationGreaterThanOrEquals
                                - DurationGreaterThan
                                - DurationLessThanOrEquals
                                - DurationLessThan
                                type: string
                              value:
                                description: Value is the conditional value, or set
                                  of values. The values can be fixed set or can be
                                  variables declared using JMESPath.
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                      type: object
                    validate:
                      description: Validation is used to validate matching resources.
                      properties:
                        anyPattern:
                          description: AnyPattern specifies list of validation patterns.
                            At least one of the patterns must be satisfied for the
                            validation rule to succeed.
                          x-kubernetes-preserve-unknown-fields: true
                        cel:
                          description: CEL allows validation checks using the Common
                            Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
                          properties:
                            auditAnnotations:
                              description: AuditAnnotations contains CEL expressions
                                which are used to produce audit annotations for the
                                audit event of the API request.
                              items:
                                description: AuditAnnotation describes how to produce
                                  an audit annotation for an API request.
                                properties:
                                  key:
                                    description: "key specifies the audit annotation
                                      key. The audit annotation keys of a ValidatingAdmissionPolicy
                                      must be unique. The key must be a qualified
                                      name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than
                                      63 bytes in length. \n The key is combined with
                                      the resource name of the ValidatingAdmissionPolicy
                                      to construct an audit annotation key: \"{ValidatingAdmissionPolicy
                                      name}/{key}\". \n If an admission webhook uses
                                      the same resource name as this ValidatingAdmissionPolicy
                                      and the same audit annotation key, the annotation
                                      key will be identical. In this case, the first
                                      annotation written with the key will be included
                                      in the audit event and all subsequent annotations
                                      with the same key will be discarded. \n Required."
                                    type: string
                                  valueExpression:
                                    description: "valueExpression represents the expression
                                      which is evaluated by CEL to produce an audit
                                      annotation value. The expression must evaluate
                                      to either a string or null value. If the expression
                                      evaluates to a string, the audit annotation
                                      is included with the string value. If the expression
                                      evaluates to null or empty string the audit
                                      annotation will be omitted. The valueExpression
                                      may be no longer than 5kb in length. If the
                                      result of the valueExpression is more than 10kb
                                      in length, it will be truncated to 10kb. \n
                                      If multiple ValidatingAdmissionPolicyBinding
                                      resources match an API request, then the valueExpression
                                      will be evaluated for each binding. All unique
                                      values produced by the valueExpressions will
                                      be joined together in a comma-separated list.
                                      \n Required."
                                    type: string
                                required:
                                - key
                                - valueExpression
                                type: object
                              type: array
                            expressions:
                              description: Expressions is a list of CELExpression
                                types.
                              items:
                                description: Validation specifies the CEL expression
                                  which is used to apply the validation.
                                properties:
                                  expression:
                                    description: "Expression represents the expression
                                      which will be evaluated by CEL. ref: https://github.com/google/cel-spec
                                      CEL expressions have access to the contents
                                      of the API request/response, organized into
                                      CEL variables as well as some other useful variables:
                                      \n - 'object' - The object from the incoming
                                      request. The value is null for DELETE requests.
                                      - 'oldObject' - The existing object. The value
                                      is null for CREATE requests. - 'request' - Attributes
                                      of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
                                      - 'params' - Parameter resource referred to
                                      by the policy binding being evaluated. Only
                                      populated if the policy has a ParamKind. - 'authorizer'
                                      - A CEL Authorizer. May be used to perform authorization
                                      checks for the principal (user or service account)
                                      of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                                      - 'authorizer.requestResource' - A CEL ResourceCheck
                                      constructed from the 'authorizer' and configured
                                      with the request resource. \n The `apiVersion`,
                                      `kind`, `metadata.name` and `metadata.generateName`
                                      are always accessible from the root of the object.
                                      No other metadata properties are accessible.
                                      \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
                                      are accessible. Accessible property names are
                                      escaped according to the following rules when
                                      accessed in the expression: - '__' escapes to
                                      '__underscores__' - '.' escapes to '__dot__'
                                      - '-' escapes to '__dash__' - '/' escapes to
                                      '__slash__' - Property names that exactly match
                                      a CEL RESERVED keyword escape to '__{keyword}__'.
                                      The keywords are: \"true\", \"false\", \"null\",
                                      \"in\", \"as\", \"break\", \"const\", \"continue\",
                                      \"else\", \"for\", \"function\", \"if\", \"import\",
                                      \"let\", \"loop\", \"package\", \"namespace\",
                                      \"return\". Examples: - Expression accessing
                                      a property named \"namespace\": {\"Expression\":
                                      \"object.__namespace__ > 0\"} - Expression accessing
                                      a property named \"x-prop\": {\"Expression\":
                                      \"object.x__dash__prop > 0\"} - Expression accessing
                                      a property named \"redact__d\": {\"Expression\":
                                      \"object.redact__underscores__d > 0\"} \n Equality
                                      on arrays with list type of 'set' or 'map' ignores
                                      element order, i.e. [1, 2] == [2, 1]. Concatenation
                                      on arrays with x-kubernetes-list-type use the
                                      semantics of the list type: - 'set': `X + Y`
                                      performs a union where the array positions of
                                      all elements in `X` are preserved and non-intersecting
                                      elements in `Y` are appended, retaining their
                                      partial order. - 'map': `X + Y` performs a merge
                                      where the array positions of all keys in `X`
                                      are preserved but the values are overwritten
                                      by values in `Y` when the key sets of `X` and
                                      `Y` intersect. Elements in `Y` with non-intersecting
                                      keys are appended, retaining their partial order.
                                      Required."
                                    type: string
                                  message:
                                    description: 'Message represents the message displayed
                                      when validation fails. The message is required
                                      if the Expression contains line breaks. The
                                      message must not contain line breaks. If unset,
                                      the message is "failed rule: {Rule}". e.g. "must
                                      be a URL with the host matching spec.host" If
                                      the Expression contains line breaks. Message
                                      is required. The message must not contain line
                                      breaks. If unset, the message is "failed Expression:
                                      {Expression}".'
                                    type: string
                                  messageExpression:
                                    description: 'messageExpression declares a CEL
                                      expression that evaluates to the validation
                                      failure message that is returned when this rule
                                      fails. Since messageExpression is used as a
                                      failure message, it must evaluate to a string.
                                      If both message and messageExpression are present
                                      on a validation, then messageExpression will
                                      be used if validation fails. If messageExpression
                                      results in a runtime error, the runtime error
                                      is logged, and the validation failure message
                                      is produced as if the messageExpression field
                                      were unset. If messageExpression evaluates to
                                      an empty string, a string with only spaces,
                                      or a string that contains line breaks, then
                                      the validation failure message will also be
                                      produced as if the messageExpression field were
                                      unset, and the fact that messageExpression produced
                                      an empty string/string with only spaces/string
                                      with line breaks will be logged. messageExpression
                                      has access to all the same variables as the
                                      `expression` except for ''authorizer'' and ''authorizer.requestResource''.
                                      Example: "object.x must be less than max ("+string(params.max)+")"'
                                    type: string
                                  reason:
                                    description: 'Reason represents a machine-readable
                                      description of why this validation failed. If
                                      this is the first validation in the list to
                                      fail, this reason, as well as the corresponding
                                      HTTP response code, are used in the HTTP response
                                      to the client. The currently supported reasons
                                      are: "Unauthorized", "Forbidden", "Invalid",
                                      "RequestEntityTooLarge". If not set, StatusReasonInvalid
                                      is used in the response to the client.'
                                    type: string
                                required:
                                - expression
                                type: object
                              type: array
                            paramKind:
                              description: ParamKind is a tuple of Group Kind and
                                Version.
                              properties:
                                apiVersion:
                                  description: APIVersion is the API group version
                                    the resources belong to. In format of "group/version".
                                    Required.
                                  type: string
                                kind:
                                  description: Kind is the API kind the resources
                                    belong to. Required.
                                  type: string
                              type: object
                              x-kubernetes-map-type: atomic
                            paramRef:
                              description: ParamRef references a parameter resource.
                              properties:
                                name:
                                  description: Name of the resource being referenced.
                                  type: string
                                namespace:
                                  description: Namespace of the referenced resource.
                                    Should be empty for the cluster-scoped resources
                                  type: string
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        deny:
                          description: Deny defines conditions used to pass or fail
                            a validation rule.
                          properties:
                            conditions:
                              description: 'Multiple conditions can be declared under
                                an `any` or `all` statement. A direct list of conditions
                                (without `any` or `all` statements) is also supported
                                for backwards compatibility See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
                              properties:
                                all:
                                  description: AllConditions enable variable-based
                                    conditional rule execution. This is useful for
                                    finer control of when an rule is applied. A condition
                                    can reference object data using JMESPath notation.
                                    Here, all of the conditions need to pass.
                                  items:
                                    properties:
                                      key:
                                        description: Key is the context entry (using
                                          JMESPath) for conditional rule evaluation.
                                        x-kubernetes-preserve-unknown-fields: true
                                      message:
                                        description: Message is an optional display
                                          message
                                        type: string
                                      operator:
                                        description: 'Operator is the conditional
                                          operation to perform. Valid operators are:
                                          Equals, NotEquals, In, AnyIn, AllIn, NotIn,
                                          AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                          GreaterThan, LessThanOrEquals, LessThan,
                                          DurationGreaterThanOrEquals, DurationGreaterThan,
                                          DurationLessThanOrEquals, DurationLessThan'
                                        enum:
                                        - Equals
                                        - NotEquals
                                        - AnyIn
                                        - AllIn
                                        - AnyNotIn
                                        - AllNotIn
                                        - GreaterThanOrEquals
                                        - GreaterThan
                                        - LessThanOrEquals
                                        - LessThan
                                        - DurationGreaterThanOrEquals
                                        - DurationGreaterThan
                                        - DurationLessThanOrEquals
                                        - DurationLessThan
                                        type: string
                                      value:
                                        description: Value is the conditional value,
                                          or set of values. The values can be fixed
                                          set or can be variables declared using JMESPath.
                                        x-kubernetes-preserve-unknown-fields: true
                                    type: object
                                  type: array
                                any:
                                  description: AnyConditions enable variable-based
                                    conditional rule execution. This is useful for
                                    finer control of when an rule is applied. A condition
                                    can reference object data using JMESPath notation.
                                    Here, at least one of the conditions need to pass.
                                  items:
                                    properties:
                                      key:
                                        description: Key is the context entry (using
                                          JMESPath) for conditional rule evaluation.
                                        x-kubernetes-preserve-unknown-fields: true
                                      message:
                                        description: Message is an optional display
                                          message
                                        type: string
                                      operator:
                                        description: 'Operator is the conditional
                                          operation to perform. Valid operators are:
                                          Equals, NotEquals, In, AnyIn, AllIn, NotIn,
                                          AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                          GreaterThan, LessThanOrEquals, LessThan,
                                          DurationGreaterThanOrEquals, DurationGreaterThan,
                                          DurationLessThanOrEquals, DurationLessThan'
                                        enum:
                                        - Equals
                                        - NotEquals
                                        - AnyIn
                                        - AllIn
                                        - AnyNotIn
                                        - AllNotIn
                                        - GreaterThanOrEquals
                                        - GreaterThan
                                        - LessThanOrEquals
                                        - LessThan
                                        - DurationGreaterThanOrEquals
                                        - DurationGreaterThan
                                        - DurationLessThanOrEquals
                                        - DurationLessThan
                                        type: string
                                      value:
                                        description: Value is the conditional value,
                                          or set of values. The values can be fixed
                                          set or can be variables declared using JMESPath.
                                        x-kubernetes-preserve-unknown-fields: true
                                    type: object
                                  type: array
                              type: object
                          type: object
                        foreach:
                          description: ForEach applies validate rules to a list of
                            sub-elements by creating a context for each entry in the
                            list and looping over it to apply the specified logic.
                          items:
                            description: ForEachValidation applies validate rules
                              to a list of sub-elements by creating a context for
                              each entry in the list and looping over it to apply
                              the specified logic.
                            properties:
                              anyPattern:
                                description: AnyPattern specifies list of validation
                                  patterns. At least one of the patterns must be satisfied
                                  for the validation rule to succeed.
                                x-kubernetes-preserve-unknown-fields: true
                              context:
                                description: Context defines variables and data sources
                                  that can be used during rule execution.
                                items:
                                  description: ContextEntry adds variables and data
                                    sources to a rule Context. Either a ConfigMap
                                    reference or a APILookup must be provided.
                                  properties:
                                    apiCall:
                                      description: APICall is an HTTP request to the
                                        Kubernetes API server, or other JSON web service.
                                        The data returned is stored in the context
                                        with the name for the context entry.
                                      properties:
                                        data:
                                          description: Data specifies the POST data
                                            sent to the server.
                                          items:
                                            description: RequestData contains the
                                              HTTP POST data
                                            properties:
                                              key:
                                                description: Key is a unique identifier
                                                  for the data value
                                                type: string
                                              value:
                                                description: Value is the data value
                                                x-kubernetes-preserve-unknown-fields: true
                                            required:
                                            - key
                                            - value
                                            type: object
                                          type: array
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the JSON response returned from the server.
                                            For example a JMESPath of "items | length(@)"
                                            applied to the API server response for
                                            the URLPath "/apis/apps/v1/deployments"
                                            will return the total count of deployments
                                            across all namespaces.
                                          type: string
                                        method:
                                          default: GET
                                          description: Method is the HTTP request
                                            type (GET or POST).
                                          enum:
                                          - GET
                                          - POST
                                          type: string
                                        service:
                                          description: Service is an API call to a
                                            JSON web service
                                          properties:
                                            caBundle:
                                              description: CABundle is a PEM encoded
                                                CA bundle which will be used to validate
                                                the server certificate.
                                              type: string
                                            url:
                                              description: URL is the JSON web service
                                                URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
                                              type: string
                                          required:
                                          - url
                                          type: object
                                        urlPath:
                                          description: URLPath is the URL path to
                                            be used in the HTTP GET or POST request
                                            to the Kubernetes API server (e.g. "/api/v1/namespaces"
                                            or  "/apis/apps/v1/deployments"). The
                                            format required is the same format used
                                            by the `kubectl get --raw` command. See
                                            https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                            for details.
                                          type: string
                                      type: object
                                    configMap:
                                      description: ConfigMap is the ConfigMap reference.
                                      properties:
                                        name:
                                          description: Name is the ConfigMap name.
                                          type: string
                                        namespace:
                                          description: Namespace is the ConfigMap
                                            namespace.
                                          type: string
                                      required:
                                      - name
                                      type: object
                                    imageRegistry:
                                      description: ImageRegistry defines requests
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
                                        imageRegistryCredentials:
                                          description: ImageRegistryCredentials provides
                                            credentials that will be used for authentication
                                            with registry
                                          properties:
                                            allowInsecureRegistry:
                                              description: AllowInsecureRegistry allows
                                                insecure access to a registry
                                              type: boolean
                                            providers:
                                              description: 'Providers specifies a
                                                list of OCI Registry names, whose
                                                authentication providers are provided
                                                It can be of one of these values:
                                                AWS, ACR, GCP, GHCR'
                                              items:
                                                description: ImageRegistryCredentialsProvidersType
                                                  provides the list of credential
                                                  providers required.
                                                enum:
                                                - default
                                                - amazon
                                                - azure
                                                - google
                                                - github
                                                type: string
                                              type: array
                                            secrets:
                                              description: Secrets specifies a list
                                                of secrets that are provided for credentials
                                                Secrets must live in the Kyverno namespace
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
                                            the ImageData struct returned as a result
                                            of processing the image reference.
                                          type: string
                                        reference:
                                          description: 'Reference is image reference
                                            to a container image in the registry.
                                            Example: ghcr.io/kyverno/kyverno:latest'
                                          type: string
                                      required:
                                      - reference
                                      type: object
                                    name:
                                      description: Name is the variable name.
                                      type: string
                                    variable:
                                      description: Variable defines an arbitrary JMESPath
                                        context variable that can be defined inline.
                                      properties:
                                        default:
                                          description: Default is an optional arbitrary
                                            JSON object that the variable may take
                                            if the JMESPath expression evaluates to
                                            nil
                                          x-kubernetes-preserve-unknown-fields: true
                                        jmesPath:
                                          description: JMESPath is an optional JMESPath
                                            Expression that can be used to transform
                                            the variable.
                                          type: string
                                        value:
                                          description: Value is any arbitrary JSON
                                            object representable in YAML or JSON form.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                  type: object
                                type: array
                              deny:
                                description: Deny defines conditions used to pass
                                  or fail a validation rule.
                                properties:
                                  conditions:
                                    description: 'Multiple conditions can be declared
                                      under an `any` or `all` statement. A direct
                                      list of conditions (without `any` or `all` statements)
                                      is also supported for backwards compatibility
                                      but will be deprecated in the next major release.
                                      See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              elementScope:
                                description: ElementScope specifies whether to use
                                  the current list element as the scope for validation.
                                  Defaults to "true" if not specified. When set to
                                  "false", "request.object" is used as the validation
                                  scope within the foreach block to allow referencing
                                  other elements in the subtree.
                                type: boolean
                              foreach:
                                description: Foreach declares a nested foreach iterator
                                x-kubernetes-preserve-unknown-fields: true
                              list:
                                description: List specifies a JMESPath expression
                                  that results in one or more elements to which the
                                  validation logic is applied.
                                type: string
                              pattern:
                                description: Pattern specifies an overlay-style pattern
                                  used to check resources.
                                x-kubernetes-preserve-unknown-fields: true
                              preconditions:
                                description: 'AnyAllConditions are used to determine
                                  if a policy rule should be applied by evaluating
                                  a set of conditions. The declaration can contain
                                  nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
                                properties:
                                  all:
                                    description: AllConditions enable variable-based
                                      conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A
                                      condition can reference object data using JMESPath
                                      notation. Here, all of the conditions need to
                                      pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: 'Operator is the conditional
                                            operation to perform. Valid operators
                                            are: Equals, NotEquals, In, AnyIn, AllIn,
                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan,
                                            DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan'
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: Value is the conditional value,
                                            or set of values. The values can be fixed
                                            set or can be variables declared using
                                            JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                  any:
                                    description: AnyConditions enable variable-based
                                      conditional rule execution. This is useful for
                                      finer control of when an rule is applied. A
                                      condition can reference object data using JMESPath
                                      notation. Here, at least one of the conditions
                                      need to pass
                                    items:
                                      description: Condition defines variable-based
                                        conditional criteria for rule execution.
                                      properties:
                                        key:
                                          description: Key is the context entry (using
                                            JMESPath) for conditional rule evaluation.
                                          x-kubernetes-preserve-unknown-fields: true
                                        message:
                                          description: Message is an optional display
                                            message
                                          type: string
                                        operator:
                                          description: 'Operator is the conditional
                                            operation to perform. Valid operators
                                            are: Equals, NotEquals, In, AnyIn, AllIn,
                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
                                            GreaterThan, LessThanOrEquals, LessThan,
                                            DurationGreaterThanOrEquals, DurationGreaterThan,
                                            DurationLessThanOrEquals, DurationLessThan'
                                          enum:
                                          - Equals
                                          - NotEquals
                                          - In
                                          - AnyIn
                                          - AllIn
                                          - NotIn
                                          - AnyNotIn
                                          - AllNotIn
                                          - GreaterThanOrEquals
                                          - GreaterThan
                                          - LessThanOrEquals
                                          - LessThan
                                          - DurationGreaterThanOrEquals
                                          - DurationGreaterThan
                                          - DurationLessThanOrEquals
                                          - DurationLessThan
                                          type: string
                                        value:
                                          description: Value is the conditional value,
                                            or set of values. The values can be fixed
                                            set or can be variables declared using
                                            JMESPath.
                                          x-kubernetes-preserve-unknown-fields: true
                                      type: object
                                    type: array
                                type: object
                                x-kubernetes-preserve-unknown-fields: true
                            type: object
                          type: array
                        manifests:
                          description: Manifest specifies conditions for manifest
                            verification
                          properties:
                            annotationDomain:
                              description: AnnotationDomain is custom domain of annotation
                                for message and signature. Default is "cosign.sigstore.dev".
                              type: string
                            attestors:
                              description: Attestors specified the required attestors
                                (i.e. authorities)
                              items:
                                properties:
                                  count:
                                    description: Count specifies the required number
                                      of entries that must match. If the count is
                                      null, all entries must match (a logical AND).
                                      If the count is 1, at least one entry must match
                                      (a logical OR). If the count contains a value
                                      N, then N must be less than or equal to the
                                      size of entries, and at least N entries must
                                      match.
                                    minimum: 1
                                    type: integer
                                  entries:
                                    description: Entries contains the available attestors.
                                      An attestor can be a static key, attributes
                                      for keyless verification, or a nested attestor
                                      declaration.
                                    items:
                                      properties:
                                        annotations:
                                          additionalProperties:
                                            type: string
                                          description: Annotations are used for image
                                            verification. Every specified key-value
                                            pair must exist and match in the verified
                                            payload. The payload may contain other
                                            key-value pairs.
                                          type: object
                                        attestor:
                                          description: Attestor is a nested AttestorSet
                                            used to specify a more complex set of
                                            match authorities
                                          x-kubernetes-preserve-unknown-fields: true
                                        certificates:
                                          description: Certificates specifies one
                                            or more certificates
                                          properties:
                                            cert:
                                              description: Certificate is an optional
                                                PEM encoded public certificate.
                                              type: string
                                            certChain:
                                              description: CertificateChain is an
                                                optional PEM encoded set of certificates
                                                used to verify
                                              type: string
                                            rekor:
                                              description: Rekor provides configuration
                                                for the Rekor transparency log service.
                                                If the value is nil, Rekor is not
                                                checked. If an empty object is provided
                                                the public instance of Rekor (https://rekor.sigstore.dev)
                                                is used.
                                              properties:
                                                ignoreSCT:
                                                  description: IgnoreSCT requires
                                                    that a certificate contain an
                                                    embedded SCT during verification.
                                                    An SCT is proof of inclusion in
                                                    a certificate transparency log.
                                                  type: boolean
                                                ignoreTlog:
                                                  description: IgnoreTlog skip tlog
                                                    verification
                                                  type: boolean
                                                pubkey:
                                                  description: RekorPubKey is an optional
                                                    PEM encoded public key to use
                                                    for a custom Rekor. If set, is
                                                    used to validate signatures on
                                                    log entries from Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public log https://rekor.sigstore.dev.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                          type: object
                                        keyless:
                                          description: Keyless is a set of attribute
                                            used to verify a Sigstore keyless attestor.
                                            See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                          properties:
                                            additionalExtensions:
                                              additionalProperties:
                                                type: string
                                              description: AdditionalExtensions are
                                                certificate-extensions used for keyless
                                                signing.
                                              type: object
                                            issuer:
                                              description: Issuer is the certificate
                                                issuer used for keyless signing.
                                              type: string
                                            rekor:
                                              description: Rekor provides configuration
                                                for the Rekor transparency log service.
                                                If the value is nil, Rekor is not
                                                checked and a root certificate chain
                                                is expected instead. If an empty object
                                                is provided the public instance of
                                                Rekor (https://rekor.sigstore.dev)
                                                is used.
                                              properties:
                                                ignoreSCT:
                                                  description: IgnoreSCT requires
                                                    that a certificate contain an
                                                    embedded SCT during verification.
                                                    An SCT is proof of inclusion in
                                                    a certificate transparency log.
                                                  type: boolean
                                                ignoreTlog:
                                                  description: IgnoreTlog skip tlog
                                                    verification
                                                  type: boolean
                                                pubkey:
                                                  description: RekorPubKey is an optional
                                                    PEM encoded public key to use
                                                    for a custom Rekor. If set, is
                                                    used to validate signatures on
                                                    log entries from Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public log https://rekor.sigstore.dev.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            roots:
                                              description: Roots is an optional set
                                                of PEM encoded trusted root certificates.
                                                If not provided, the system roots
                                                are used.
                                              type: string
                                            subject:
                                              description: Subject is the verified
                                                identity used for keyless signing,
                                                for example the email address
                                              type: string
                                          type: object
                                        keys:
                                          description: Keys specifies one or more
                                            public keys
                                          properties:
                                            kms:
                                              description: 'KMS provides the URI to
                                                the public key stored in a Key Management
                                                System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                              type: string
                                            publicKeys:
                                              description: Keys is a set of X.509
                                                public keys used to verify image signatures.
                                                The keys can be directly specified
                                                or can be a variable reference to
                                                a key specified in a ConfigMap (see
                                                https://kyverno.io/docs/writing-policies/variables/),
                                                or reference a standard Kubernetes
                                                Secret elsewhere in the cluster by
                                                specifying it in the format "k8s://<namespace>/<secret_name>".
                                                The named Secret must specify a key
                                                `cosign.pub` containing the public
                                                key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                When multiple keys are specified each
                                                key is processed as a separate staticKey
                                                entry (.attestors[*].entries.keys)
                                                within the set of attestors and the
                                                count is applied across the keys.
                                              type: string
                                            rekor:
                                              description: Rekor provides configuration
                                                for the Rekor transparency log service.
                                                If the value is nil, or an empty object
                                                is provided, the public instance of
                                                Rekor (https://rekor.sigstore.dev)
                                                is used.
                                              properties:
                                                ignoreSCT:
                                                  description: IgnoreSCT requires
                                                    that a certificate contain an
                                                    embedded SCT during verification.
                                                    An SCT is proof of inclusion in
                                                    a certificate transparency log.
                                                  type: boolean
                                                ignoreTlog:
                                                  description: IgnoreTlog skip tlog
                                                    verification
                                                  type: boolean
                                                pubkey:
                                                  description: RekorPubKey is an optional
                                                    PEM encoded public key to use
                                                    for a custom Rekor. If set, is
                                                    used to validate signatures on
                                                    log entries from Rekor.
                                                  type: string
                                                url:
                                                  description: URL is the address
                                                    of the transparency log. Defaults
                                                    to the public log https://rekor.sigstore.dev.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            secret:
                                              description: Reference to a Secret resource
                                                that contains a public key
                                              properties:
                                                name:
                                                  description: Name of the secret.
                                                    The provided secret must contain
                                                    a key named cosign.pub.
                                                  type: string
                                                namespace:
                                                  description: Namespace name where
                                                    the Secret exists.
                                                  type: string
                                              required:
                                              - name
                                              - namespace
                                              type: object
                                            signatureAlgorithm:
                                              default: sha256
                                              description: Specify signature algorithm
                                                for public keys. Supported values
                                                are sha256 and sha512
                                              type: string
                                          type: object
                                        repository:
                                          description: Repository is an optional alternate
                                            OCI repository to use for signatures and
                                            attestations that match this rule. If
                                            specified Repository will override other
                                            OCI image repository locations for this
                                            Attestor.
                                          type: string
                                      type: object
                                    type: array
                                type: object
                              type: array
                            dryRun:
                              description: DryRun configuration
                              properties:
                                enable:
                                  type: boolean
                                namespace:
                                  type: string
                              type: object
                            ignoreFields:
                              description: Fields which will be ignored while comparing
                                manifests.
                              items:
                                properties:
                                  fields:
                                    items:
                                      type: string
                                    type: array
                                  objects:
                                    items:
                                      properties:
                                        group:
                                          type: string
                                        kind:
                                          type: string
                                        name:
                                          type: string
                                        namespace:
                                          type: string
                                        version:
                                          type: string
                                      type: object
                                    type: array
                                type: object
                              type: array
                            repository:
                              description: Repository is an optional alternate OCI
                                repository to use for resource bundle reference. The
                                repository can be overridden per Attestor or Attestation.
                              type: string
                          type: object
                        message:
                          description: Message specifies a custom message to be displayed
                            on failure.
                          type: string
                        pattern:
                          description: Pattern specifies an overlay-style pattern
                            used to check resources.
                          x-kubernetes-preserve-unknown-fields: true
                        podSecurity:
                          description: PodSecurity applies exemptions for Kubernetes
                            Pod Security admission by specifying exclusions for Pod
                            Security Standards controls.
                          properties:
                            exclude:
                              description: Exclude specifies the Pod Security Standard
                                controls to be excluded.
                              items:
                                description: PodSecurityStandard specifies the Pod
                                  Security Standard controls to be excluded.
                                properties:
                                  controlName:
                                    description: 'ControlName specifies the name of
                                      the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
                                    enum:
                                    - HostProcess
                                    - Host Namespaces
                                    - Privileged Containers
                                    - Capabilities
                                    - HostPath Volumes
                                    - Host Ports
                                    - AppArmor
                                    - SELinux
                                    - /proc Mount Type
                                    - Seccomp
                                    - Sysctls
                                    - Volume Types
                                    - Privilege Escalation
                                    - Running as Non-root
                                    - Running as Non-root user
                                    type: string
                                  images:
                                    description: 'Images selects matching containers
                                      and applies the container level PSS. Each image
                                      is the image name consisting of the registry
                                      address, repository, image, and tag. Empty list
                                      matches no containers, PSS checks are applied
                                      at the pod level only. Wildcards (''*'' and
                                      ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
                                    items:
                                      type: string
                                    type: array
                                required:
                                - controlName
                                type: object
                              type: array
                            level:
                              description: Level defines the Pod Security Standard
                                level to be applied to workloads. Allowed values are
                                privileged, baseline, and restricted.
                              enum:
                              - privileged
                              - baseline
                              - restricted
                              type: string
                            version:
                              description: Version defines the Pod Security Standard
                                versions that Kubernetes supports. Allowed values
                                are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
                                v1.26, latest. Defaults to latest.
                              enum:
                              - v1.19
                              - v1.20
                              - v1.21
                              - v1.22
                              - v1.23
                              - v1.24
                              - v1.25
                              - v1.26
                              - latest
                              type: string
                          type: object
                      type: object
                    verifyImages:
                      description: VerifyImages is used to verify image signatures
                        and mutate them to add a digest
                      items:
                        description: ImageVerification validates that images that
                          match the specified pattern are signed with the supplied
                          public key. Once the image is verified it is mutated to
                          include the SHA digest retrieved during the registration.
                        properties:
                          attestations:
                            description: Attestations are optional checks for signed
                              in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
                              Kyverno fetches signed attestations from the OCI registry
                              and decodes them into a list of Statement declarations.
                            items:
                              description: Attestation are checks for signed in-toto
                                Statements that are used to verify the image. See
                                https://github.com/in-toto/attestation. Kyverno fetches
                                signed attestations from the OCI registry and decodes
                                them into a list of Statements.
                              properties:
                                attestors:
                                  description: Attestors specify the required attestors
                                    (i.e. authorities)
                                  items:
                                    properties:
                                      count:
                                        description: Count specifies the required
                                          number of entries that must match. If the
                                          count is null, all entries must match (a
                                          logical AND). If the count is 1, at least
                                          one entry must match (a logical OR). If
                                          the count contains a value N, then N must
                                          be less than or equal to the size of entries,
                                          and at least N entries must match.
                                        minimum: 1
                                        type: integer
                                      entries:
                                        description: Entries contains the available
                                          attestors. An attestor can be a static key,
                                          attributes for keyless verification, or
                                          a nested attestor declaration.
                                        items:
                                          properties:
                                            annotations:
                                              additionalProperties:
                                                type: string
                                              description: Annotations are used for
                                                image verification. Every specified
                                                key-value pair must exist and match
                                                in the verified payload. The payload
                                                may contain other key-value pairs.
                                              type: object
                                            attestor:
                                              description: Attestor is a nested AttestorSet
                                                used to specify a more complex set
                                                of match authorities
                                              x-kubernetes-preserve-unknown-fields: true
                                            certificates:
                                              description: Certificates specifies
                                                one or more certificates
                                              properties:
                                                cert:
                                                  description: Certificate is an optional
                                                    PEM encoded public certificate.
                                                  type: string
                                                certChain:
                                                  description: CertificateChain is
                                                    an optional PEM encoded set of
                                                    certificates used to verify
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    Rekor is not checked. If an empty
                                                    object is provided the public
                                                    instance of Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                              type: object
                                            keyless:
                                              description: Keyless is a set of attribute
                                                used to verify a Sigstore keyless
                                                attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                              properties:
                                                additionalExtensions:
                                                  additionalProperties:
                                                    type: string
                                                  description: AdditionalExtensions
                                                    are certificate-extensions used
                                                    for keyless signing.
                                                  type: object
                                                issuer:
                                                  description: Issuer is the certificate
                                                    issuer used for keyless signing.
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    Rekor is not checked and a root
                                                    certificate chain is expected
                                                    instead. If an empty object is
                                                    provided the public instance of
                                                    Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                                roots:
                                                  description: Roots is an optional
                                                    set of PEM encoded trusted root
                                                    certificates. If not provided,
                                                    the system roots are used.
                                                  type: string
                                                subject:
                                                  description: Subject is the verified
                                                    identity used for keyless signing,
                                                    for example the email address
                                                  type: string
                                              type: object
                                            keys:
                                              description: Keys specifies one or more
                                                public keys
                                              properties:
                                                kms:
                                                  description: 'KMS provides the URI
                                                    to the public key stored in a
                                                    Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                                  type: string
                                                publicKeys:
                                                  description: Keys is a set of X.509
                                                    public keys used to verify image
                                                    signatures. The keys can be directly
                                                    specified or can be a variable
                                                    reference to a key specified in
                                                    a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
                                                    or reference a standard Kubernetes
                                                    Secret elsewhere in the cluster
                                                    by specifying it in the format
                                                    "k8s://<namespace>/<secret_name>".
                                                    The named Secret must specify
                                                    a key `cosign.pub` containing
                                                    the public key used for verification,
                                                    (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                    When multiple keys are specified
                                                    each key is processed as a separate
                                                    staticKey entry (.attestors[*].entries.keys)
                                                    within the set of attestors and
                                                    the count is applied across the
                                                    keys.
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    or an empty object is provided,
                                                    the public instance of Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                                secret:
                                                  description: Reference to a Secret
                                                    resource that contains a public
                                                    key
                                                  properties:
                                                    name:
                                                      description: Name of the secret.
                                                        The provided secret must contain
                                                        a key named cosign.pub.
                                                      type: string
                                                    namespace:
                                                      description: Namespace name
                                                        where the Secret exists.
                                                      type: string
                                                  required:
                                                  - name
                                                  - namespace
                                                  type: object
                                                signatureAlgorithm:
                                                  default: sha256
                                                  description: Specify signature algorithm
                                                    for public keys. Supported values
                                                    are sha256 and sha512
                                                  type: string
                                              type: object
                                            repository:
                                              description: Repository is an optional
                                                alternate OCI repository to use for
                                                signatures and attestations that match
                                                this rule. If specified Repository
                                                will override other OCI image repository
                                                locations for this Attestor.
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                conditions:
                                  description: Conditions are used to verify attributes
                                    within a Predicate. If no Conditions are specified
                                    the attestation check is satisfied as long there
                                    are predicates that match the predicate type.
                                  items:
                                    description: AnyAllConditions consists of conditions
                                      wrapped denoting a logical criteria to be fulfilled.
                                      AnyConditions get fulfilled when at least one
                                      of its sub-conditions passes. AllConditions
                                      get fulfilled only when all of its sub-conditions
                                      pass.
                                    properties:
                                      all:
                                        description: AllConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, all of the conditions
                                          need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: AnyConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, at least one of
                                          the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                predicateType:
                                  description: PredicateType defines the type of Predicate
                                    contained within the Statement. Deprecated in
                                    favour of 'Type', to be removed soon
                                  type: string
                                type:
                                  description: Type defines the type of attestation
                                    contained within the Statement.
                                  type: string
                              type: object
                            type: array
                          attestors:
                            description: Attestors specified the required attestors
                              (i.e. authorities)
                            items:
                              properties:
                                count:
                                  description: Count specifies the required number
                                    of entries that must match. If the count is null,
                                    all entries must match (a logical AND). If the
                                    count is 1, at least one entry must match (a logical
                                    OR). If the count contains a value N, then N must
                                    be less than or equal to the size of entries,
                                    and at least N entries must match.
                                  minimum: 1
                                  type: integer
                                entries:
                                  description: Entries contains the available attestors.
                                    An attestor can be a static key, attributes for
                                    keyless verification, or a nested attestor declaration.
                                  items:
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: Annotations are used for image
                                          verification. Every specified key-value
                                          pair must exist and match in the verified
                                          payload. The payload may contain other key-value
                                          pairs.
                                        type: object
                                      attestor:
                                        description: Attestor is a nested AttestorSet
                                          used to specify a more complex set of match
                                          authorities
                                        x-kubernetes-preserve-unknown-fields: true
                                      certificates:
                                        description: Certificates specifies one or
                                          more certificates
                                        properties:
                                          cert:
                                            description: Certificate is an optional
                                              PEM encoded public certificate.
                                            type: string
                                          certChain:
                                            description: CertificateChain is an optional
                                              PEM encoded set of certificates used
                                              to verify
                                            type: string
                                          rekor:
                                            description: Rekor provides configuration
                                              for the Rekor transparency log service.
                                              If the value is nil, Rekor is not checked.
                                              If an empty object is provided the public
                                              instance of Rekor (https://rekor.sigstore.dev)
                                              is used.
                                            properties:
                                              ignoreSCT:
                                                description: IgnoreSCT requires that
                                                  a certificate contain an embedded
                                                  SCT during verification. An SCT
                                                  is proof of inclusion in a certificate
                                                  transparency log.
                                                type: boolean
                                              ignoreTlog:
                                                description: IgnoreTlog skip tlog
                                                  verification
                                                type: boolean
                                              pubkey:
                                                description: RekorPubKey is an optional
                                                  PEM encoded public key to use for
                                                  a custom Rekor. If set, is used
                                                  to validate signatures on log entries
                                                  from Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public log https://rekor.sigstore.dev.
                                                type: string
                                            required:
                                            - url
                                            type: object
                                        type: object
                                      keyless:
                                        description: Keyless is a set of attribute
                                          used to verify a Sigstore keyless attestor.
                                          See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                        properties:
                                          additionalExtensions:
                                            additionalProperties:
                                              type: string
                                            description: AdditionalExtensions are
                                              certificate-extensions used for keyless
                                              signing.
                                            type: object
                                          issuer:
                                            description: Issuer is the certificate
                                              issuer used for keyless signing.
                                            type: string
                                          rekor:
                                            description: Rekor provides configuration
                                              for the Rekor transparency log service.
                                              If the value is nil, Rekor is not checked
                                              and a root certificate chain is expected
                                              instead. If an empty object is provided
                                              the public instance of Rekor (https://rekor.sigstore.dev)
                                              is used.
                                            properties:
                                              ignoreSCT:
                                                description: IgnoreSCT requires that
                                                  a certificate contain an embedded
                                                  SCT during verification. An SCT
                                                  is proof of inclusion in a certificate
                                                  transparency log.
                                                type: boolean
                                              ignoreTlog:
                                                description: IgnoreTlog skip tlog
                                                  verification
                                                type: boolean
                                              pubkey:
                                                description: RekorPubKey is an optional
                                                  PEM encoded public key to use for
                                                  a custom Rekor. If set, is used
                                                  to validate signatures on log entries
                                                  from Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public log https://rekor.sigstore.dev.
                                                type: string
                                            required:
                                            - url
                                            type: object
                                          roots:
                                            description: Roots is an optional set
                                              of PEM encoded trusted root certificates.
                                              If not provided, the system roots are
                                              used.
                                            type: string
                                          subject:
                                            description: Subject is the verified identity
                                              used for keyless signing, for example
                                              the email address
                                            type: string
                                        type: object
                                      keys:
                                        description: Keys specifies one or more public
                                          keys
                                        properties:
                                          kms:
                                            description: 'KMS provides the URI to
                                              the public key stored in a Key Management
                                              System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                            type: string
                                          publicKeys:
                                            description: Keys is a set of X.509 public
                                              keys used to verify image signatures.
                                              The keys can be directly specified or
                                              can be a variable reference to a key
                                              specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
                                              or reference a standard Kubernetes Secret
                                              elsewhere in the cluster by specifying
                                              it in the format "k8s://<namespace>/<secret_name>".
                                              The named Secret must specify a key
                                              `cosign.pub` containing the public key
                                              used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                              When multiple keys are specified each
                                              key is processed as a separate staticKey
                                              entry (.attestors[*].entries.keys) within
                                              the set of attestors and the count is
                                              applied across the keys.
                                            type: string
                                          rekor:
                                            description: Rekor provides configuration
                                              for the Rekor transparency log service.
                                              If the value is nil, or an empty object
                                              is provided, the public instance of
                                              Rekor (https://rekor.sigstore.dev) is
                                              used.
                                            properties:
                                              ignoreSCT:
                                                description: IgnoreSCT requires that
                                                  a certificate contain an embedded
                                                  SCT during verification. An SCT
                                                  is proof of inclusion in a certificate
                                                  transparency log.
                                                type: boolean
                                              ignoreTlog:
                                                description: IgnoreTlog skip tlog
                                                  verification
                                                type: boolean
                                              pubkey:
                                                description: RekorPubKey is an optional
                                                  PEM encoded public key to use for
                                                  a custom Rekor. If set, is used
                                                  to validate signatures on log entries
                                                  from Rekor.
                                                type: string
                                              url:
                                                description: URL is the address of
                                                  the transparency log. Defaults to
                                                  the public log https://rekor.sigstore.dev.
                                                type: string
                                            required:
                                            - url
                                            type: object
                                          secret:
                                            description: Reference to a Secret resource
                                              that contains a public key
                                            properties:
                                              name:
                                                description: Name of the secret. The
                                                  provided secret must contain a key
                                                  named cosign.pub.
                                                type: string
                                              namespace:
                                                description: Namespace name where
                                                  the Secret exists.
                                                type: string
                                            required:
                                            - name
                                            - namespace
                                            type: object
                                          signatureAlgorithm:
                                            default: sha256
                                            description: Specify signature algorithm
                                              for public keys. Supported values are
                                              sha256 and sha512
                                            type: string
                                        type: object
                                      repository:
                                        description: Repository is an optional alternate
                                          OCI repository to use for signatures and
                                          attestations that match this rule. If specified
                                          Repository will override other OCI image
                                          repository locations for this Attestor.
                                        type: string
                                    type: object
                                  type: array
                              type: object
                            type: array
                          imageReferences:
                            description: 'ImageReferences is a list of matching image
                              reference patterns. At least one pattern in the list
                              must match the image for the rule to apply. Each image
                              reference consists of a registry address (defaults to
                              docker.io), repository, image, and tag (defaults to
                              latest). Wildcards (''*'' and ''?'') are allowed. See:
                              https://kubernetes.io/docs/concepts/containers/images.'
                            items:
                              type: string
                            type: array
                          imageRegistryCredentials:
                            description: ImageRegistryCredentials provides credentials
                              that will be used for authentication with registry
                            properties:
                              allowInsecureRegistry:
                                description: AllowInsecureRegistry allows insecure
                                  access to a registry
                                type: boolean
                              providers:
                                description: 'Providers specifies a list of OCI Registry
                                  names, whose authentication providers are provided
                                  It can be of one of these values: AWS, ACR, GCP,
                                  GHCR'
                                items:
                                  description: ImageRegistryCredentialsProvidersType
                                    provides the list of credential providers required.
                                  enum:
                                  - default
                                  - amazon
                                  - azure
                                  - google
                                  - github
                                  type: string
                                type: array
                              secrets:
                                description: Secrets specifies a list of secrets that
                                  are provided for credentials Secrets must live in
                                  the Kyverno namespace
                                items:
                                  type: string
                                type: array
                            type: object
                          mutateDigest:
                            default: true
                            description: MutateDigest enables replacement of image
                              tags with digests. Defaults to true.
                            type: boolean
                          repository:
                            description: Repository is an optional alternate OCI repository
                              to use for image signatures and attestations that match
                              this rule. If specified Repository will override the
                              default OCI image repository configured for the installation.
                              The repository can also be overridden per Attestor or
                              Attestation.
                            type: string
                          required:
                            default: true
                            description: Required validates that images are verified
                              i.e. have matched passed a signature or attestation
                              check.
                            type: boolean
                          type:
                            description: Type specifies the method of signature validation.
                              The allowed options are Cosign and Notary. By default
                              Cosign is used if a type is not specified.
                            enum:
                            - Cosign
                            - Notary
                            type: string
                          useCache:
                            default: true
                            description: UseCache enables caching of image verify
                              responses for this rule
                            type: boolean
                          verifyDigest:
                            default: true
                            description: VerifyDigest validates that images have a
                              digest.
                            type: boolean
                        type: object
                      type: array
                  required:
                  - name
                  type: object
                type: array
              schemaValidation:
                description: SchemaValidation skips validation checks for policies
                  as well as patched resources. Optional. The default value is set
                  to "true", it must be set to "false" to disable the validation checks.
                type: boolean
              useServerSideApply:
                description: UseServerSideApply controls whether to use server-side
                  apply for generate rules If is set to "true" create & update for
                  generate rules will use apply instead of create/update. Defaults
                  to "false" if not specified.
                type: boolean
              validationFailureAction:
                default: Audit
                description: ValidationFailureAction defines if a validation policy
                  rule violation should block the admission review request (enforce),
                  or allow (audit) the admission review request and report an error
                  in a policy report. Optional. Allowed values are audit or enforce.
                  The default value is "Audit".
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: ValidationFailureActionOverrides is a Cluster Policy
                  attribute that specifies ValidationFailureAction namespace-wise.
                  It overrides ValidationFailureAction for the specified namespaces.
                items:
                  properties:
                    action:
                      description: ValidationFailureAction defines the policy validation
                        failure action
                      enum:
                      - audit
                      - enforce
                      - Audit
                      - Enforce
                      type: string
                    namespaceSelector:
                      description: A label selector is a label query over a set of
                        resources. The result of matchLabels and matchExpressions
                        are ANDed. An empty label selector matches all objects. A
                        null label selector matches no objects.
                      properties:
                        matchExpressions:
                          description: matchExpressions is a list of label selector
                            requirements. The requirements are ANDed.
                          items:
                            description: A label selector requirement is a selector
                              that contains values, a key, and an operator that relates
                              the key and values.
                            properties:
                              key:
                                description: key is the label key that the selector
                                  applies to.
                                type: string
                              operator:
                                description: operator represents a key's relationship
                                  to a set of values. Valid operators are In, NotIn,
                                  Exists and DoesNotExist.
                                type: string
                              values:
                                description: values is an array of string values.
                                  If the operator is In or NotIn, the values array
                                  must be non-empty. If the operator is Exists or
                                  DoesNotExist, the values array must be empty. This
                                  array is replaced during a strategic merge patch.
                                items:
                                  type: string
                                type: array
                            required:
                            - key
                            - operator
                            type: object
                          type: array
                        matchLabels:
                          additionalProperties:
                            type: string
                          description: matchLabels is a map of {key,value} pairs.
                            A single {key,value} in the matchLabels map is equivalent
                            to an element of matchExpressions, whose key field is
                            "key", the operator is "In", and the values array contains
                            only "value". The requirements are ANDed.
                          type: object
                      type: object
                      x-kubernetes-map-type: atomic
                    namespaces:
                      items:
                        type: string
                      type: array
                  type: object
                type: array
              webhookTimeoutSeconds:
                description: WebhookTimeoutSeconds specifies the maximum time in seconds
                  allowed to apply this policy. After the configured time expires,
                  the admission request may fail, or may simply ignore the policy
                  results, based on the failure policy. The default timeout is 10s,
                  the value must be between 1 and 30 seconds.
                format: int32
                type: integer
            type: object
          status:
            description: Status contains policy runtime data.
            properties:
              autogen:
                description: Autogen contains autogen status information
                properties:
                  rules:
                    description: Rules is a list of Rule instances. It contains auto
                      generated rules added for pod controllers
                    items:
                      description: Rule defines a validation, mutation, or generation
                        control for matching resources. Each rules contains a match
                        declaration to select resources, and an optional exclude declaration
                        to specify which resources to exclude.
                      properties:
                        celPreconditions:
                          description: CELPreconditions are used to determine if a
                            policy rule should be applied by evaluating a set of CEL
                            conditions. It can only be used with the validate.cel
                            subrule
                          items:
                            description: MatchCondition represents a condition which
                              must by fulfilled for a request to be sent to a webhook.
                            properties:
                              expression:
                                description: "Expression represents the expression
                                  which will be evaluated by CEL. Must evaluate to
                                  bool. CEL expressions have access to the contents
                                  of the AdmissionRequest and Authorizer, organized
                                  into CEL variables: \n 'object' - The object from
                                  the incoming request. The value is null for DELETE
                                  requests. 'oldObject' - The existing object. The
                                  value is null for CREATE requests. 'request' - Attributes
                                  of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
                                  'authorizer' - A CEL Authorizer. May be used to
                                  perform authorization checks for the principal (user
                                  or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                                  'authorizer.requestResource' - A CEL ResourceCheck
                                  constructed from the 'authorizer' and configured
                                  with the request resource. Documentation on CEL:
                                  https://kubernetes.io/docs/reference/using-api/cel/
                                  \n Required."
                                type: string
                              name:
                                description: "Name is an identifier for this match
                                  condition, used for strategic merging of MatchConditions,
                                  as well as providing an identifier for logging purposes.
                                  A good name should be descriptive of the associated
                                  expression. Name must be a qualified name consisting
                                  of alphanumeric characters, '-', '_' or '.', and
                                  must start and end with an alphanumeric character
                                  (e.g. 'MyName',  or 'my.name',  or '123-abc', regex
                                  used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
                                  with an optional DNS subdomain prefix and '/' (e.g.
                                  'example.com/MyName') \n Required."
                                type: string
                            required:
                            - expression
                            - name
                            type: object
                          type: array
                        context:
                          description: Context defines variables and data sources
                            that can be used during rule execution.
                          items:
                            description: ContextEntry adds variables and data sources
                              to a rule Context. Either a ConfigMap reference or a
                              APILookup must be provided.
                            properties:
                              apiCall:
                                description: APICall is an HTTP request to the Kubernetes
                                  API server, or other JSON web service. The data
                                  returned is stored in the context with the name
                                  for the context entry.
                                properties:
                                  data:
                                    description: Data specifies the POST data sent
                                      to the server.
                                    items:
                                      description: RequestData contains the HTTP POST
                                        data
                                      properties:
                                        key:
                                          description: Key is a unique identifier
                                            for the data value
                                          type: string
                                        value:
                                          description: Value is the data value
                                          x-kubernetes-preserve-unknown-fields: true
                                      required:
                                      - key
                                      - value
                                      type: object
                                    type: array
                                  jmesPath:
                                    description: JMESPath is an optional JSON Match
                                      Expression that can be used to transform the
                                      JSON response returned from the server. For
                                      example a JMESPath of "items | length(@)" applied
                                      to the API server response for the URLPath "/apis/apps/v1/deployments"
                                      will return the total count of deployments across
                                      all namespaces.
                                    type: string
                                  method:
                                    default: GET
                                    description: Method is the HTTP request type (GET
                                      or POST).
                                    enum:
                                    - GET
                                    - POST
                                    type: string
                                  service:
                                    description: Service is an API call to a JSON
                                      web service
                                    properties:
                                      caBundle:
                                        description: CABundle is a PEM encoded CA
                                          bundle which will be used to validate the
                                          server certificate.
                                        type: string
                                      url:
                                        description: URL is the JSON web service URL.
                                          A typical form is `https://{service}.{namespace}:{port}/{path}`.
                                        type: string
                                    required:
                                    - url
                                    type: object
                                  urlPath:
                                    description: URLPath is the URL path to be used
                                      in the HTTP GET or POST request to the Kubernetes
                                      API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                      The format required is the same format used
                                      by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                      for details.
                                    type: string
                                type: object
                              configMap:
                                description: ConfigMap is the ConfigMap reference.
                                properties:
                                  name:
                                    description: Name is the ConfigMap name.
                                    type: string
                                  namespace:
                                    description: Namespace is the ConfigMap namespace.
                                    type: string
                                required:
                                - name
                                type: object
                              imageRegistry:
                                description: ImageRegistry defines requests to an
                                  OCI/Docker V2 registry to fetch image details.
                                properties:
                                  imageRegistryCredentials:
                                    description: ImageRegistryCredentials provides
                                      credentials that will be used for authentication
                                      with registry
                                    properties:
                                      allowInsecureRegistry:
                                        description: AllowInsecureRegistry allows
                                          insecure access to a registry
                                        type: boolean
                                      providers:
                                        description: 'Providers specifies a list of
                                          OCI Registry names, whose authentication
                                          providers are provided It can be of one
                                          of these values: AWS, ACR, GCP, GHCR'
                                        items:
                                          description: ImageRegistryCredentialsProvidersType
                                            provides the list of credential providers
                                            required.
                                          enum:
                                          - default
                                          - amazon
                                          - azure
                                          - google
                                          - github
                                          type: string
                                        type: array
                                      secrets:
                                        description: Secrets specifies a list of secrets
                                          that are provided for credentials Secrets
                                          must live in the Kyverno namespace
                                        items:
                                          type: string
                                        type: array
                                    type: object
                                  jmesPath:
                                    description: JMESPath is an optional JSON Match
                                      Expression that can be used to transform the
                                      ImageData struct returned as a result of processing
                                      the image reference.
                                    type: string
                                  reference:
                                    description: 'Reference is image reference to
                                      a container image in the registry. Example:
                                      ghcr.io/kyverno/kyverno:latest'
                                    type: string
                                required:
                                - reference
                                type: object
                              name:
                                description: Name is the variable name.
                                type: string
                              variable:
                                description: Variable defines an arbitrary JMESPath
                                  context variable that can be defined inline.
                                properties:
                                  default:
                                    description: Default is an optional arbitrary
                                      JSON object that the variable may take if the
                                      JMESPath expression evaluates to nil
                                    x-kubernetes-preserve-unknown-fields: true
                                  jmesPath:
                                    description: JMESPath is an optional JMESPath
                                      Expression that can be used to transform the
                                      variable.
                                    type: string
                                  value:
                                    description: Value is any arbitrary JSON object
                                      representable in YAML or JSON form.
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                            type: object
                          type: array
                        exclude:
                          description: ExcludeResources defines when this policy rule
                            should not be applied. The exclude criteria can include
                            resource information (e.g. kind, name, namespace, labels)
                            and admission review request information like the name
                            or role.
                          properties:
                            all:
                              description: All allows specifying resources which will
                                be ANDed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: Annotations is a  map of annotations
                                          (key-value pairs of type string). Annotation
                                          keys and values support the wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: 'Name is the name of the resource.
                                          The name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character). NOTE: "Name" is
                                          being deprecated in favor of "Names".'
                                        type: string
                                      names:
                                        description: Names are the names of the resources.
                                          Each name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: 'NamespaceSelector is a label
                                          selector for the resource namespace. Label
                                          keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character).Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: Namespaces is a list of namespaces
                                          names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: 'Selector is a label selector.
                                          Label keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character). Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: Subject contains a reference to
                                        the object or user identities a role binding
                                        applies to.  This can either hold a direct
                                        API object reference, or a value for non-objects
                                        such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: APIGroup holds the API group
                                            of the referenced subject. Defaults to
                                            "" for ServiceAccount subjects. Defaults
                                            to "rbac.authorization.k8s.io" for User
                                            and Group subjects.
                                          type: string
                                        kind:
                                          description: Kind of object being referenced.
                                            Values defined by this API group are "User",
                                            "Group", and "ServiceAccount". If the
                                            Authorizer does not recognized the kind
                                            value, the Authorizer should report an
                                            error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: Namespace of the referenced
                                            object.  If the object kind is non-namespace,
                                            such as "User" or "Group", and this value
                                            is not empty the Authorizer should report
                                            an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            any:
                              description: Any allows specifying resources which will
                                be ORed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: Annotations is a  map of annotations
                                          (key-value pairs of type string). Annotation
                                          keys and values support the wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: 'Name is the name of the resource.
                                          The name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character). NOTE: "Name" is
                                          being deprecated in favor of "Names".'
                                        type: string
                                      names:
                                        description: Names are the names of the resources.
                                          Each name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: 'NamespaceSelector is a label
                                          selector for the resource namespace. Label
                                          keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character).Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: Namespaces is a list of namespaces
                                          names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: 'Selector is a label selector.
                                          Label keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character). Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: Subject contains a reference to
                                        the object or user identities a role binding
                                        applies to.  This can either hold a direct
                                        API object reference, or a value for non-objects
                                        such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: APIGroup holds the API group
                                            of the referenced subject. Defaults to
                                            "" for ServiceAccount subjects. Defaults
                                            to "rbac.authorization.k8s.io" for User
                                            and Group subjects.
                                          type: string
                                        kind:
                                          description: Kind of object being referenced.
                                            Values defined by this API group are "User",
                                            "Group", and "ServiceAccount". If the
                                            Authorizer does not recognized the kind
                                            value, the Authorizer should report an
                                            error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: Namespace of the referenced
                                            object.  If the object kind is non-namespace,
                                            such as "User" or "Group", and this value
                                            is not empty the Authorizer should report
                                            an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            clusterRoles:
                              description: ClusterRoles is the list of cluster-wide
                                role names for the user.
                              items:
                                type: string
                              type: array
                            resources:
                              description: ResourceDescription contains information
                                about the resource being created or modified. Requires
                                at least one tag to be specified when under MatchResources.
                                Specifying ResourceDescription directly under match
                                is being deprecated. Please specify under "any" or
                                "all" instead.
                              properties:
                                annotations:
                                  additionalProperties:
                                    type: string
                                  description: Annotations is a  map of annotations
                                    (key-value pairs of type string). Annotation keys
                                    and values support the wildcard characters "*"
                                    (matches zero or many characters) and "?" (matches
                                    at least one character).
                                  type: object
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                name:
                                  description: 'Name is the name of the resource.
                                    The name supports wildcard characters "*" (matches
                                    zero or many characters) and "?" (at least one
                                    character). NOTE: "Name" is being deprecated in
                                    favor of "Names".'
                                  type: string
                                names:
                                  description: Names are the names of the resources.
                                    Each name supports wildcard characters "*" (matches
                                    zero or many characters) and "?" (at least one
                                    character).
                                  items:
                                    type: string
                                  type: array
                                namespaceSelector:
                                  description: 'NamespaceSelector is a label selector
                                    for the resource namespace. Label keys and values
                                    in `matchLabels` support the wildcard characters
                                    `*` (matches zero or many characters) and `?`
                                    (matches one character).Wildcards allows writing
                                    label selectors like ["storage.k8s.io/*": "*"].
                                    Note that using ["*" : "*"] matches any key and
                                    value but does not match an empty label set.'
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: A label selector requirement
                                          is a selector that contains values, a key,
                                          and an operator that relates the key and
                                          values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: operator represents a key's
                                              relationship to a set of values. Valid
                                              operators are In, NotIn, Exists and
                                              DoesNotExist.
                                            type: string
                                          values:
                                            description: values is an array of string
                                              values. If the operator is In or NotIn,
                                              the values array must be non-empty.
                                              If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This
                                              array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: matchLabels is a map of {key,value}
                                        pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions,
                                        whose key field is "key", the operator is
                                        "In", and the values array contains only "value".
                                        The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                                namespaces:
                                  description: Namespaces is a list of namespaces
                                    names. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?"
                                    (at least one character).
                                  items:
                                    type: string
                                  type: array
                                operations:
                                  description: Operations can contain values ["CREATE,
                                    "UPDATE", "CONNECT", "DELETE"], which are used
                                    to match a specific action.
                                  items:
                                    description: AdmissionOperation can have one of
                                      the values CREATE, UPDATE, CONNECT, DELETE,
                                      which are used to match a specific action.
                                    enum:
                                    - CREATE
                                    - CONNECT
                                    - UPDATE
                                    - DELETE
                                    type: string
                                  type: array
                                selector:
                                  description: 'Selector is a label selector. Label
                                    keys and values in `matchLabels` support the wildcard
                                    characters `*` (matches zero or many characters)
                                    and `?` (matches one character). Wildcards allows
                                    writing label selectors like ["storage.k8s.io/*":
                                    "*"]. Note that using ["*" : "*"] matches any
                                    key and value but does not match an empty label
                                    set.'
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: A label selector requirement
                                          is a selector that contains values, a key,
                                          and an operator that relates the key and
                                          values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: operator represents a key's
                                              relationship to a set of values. Valid
                                              operators are In, NotIn, Exists and
                                              DoesNotExist.
                                            type: string
                                          values:
                                            description: values is an array of string
                                              values. If the operator is In or NotIn,
                                              the values array must be non-empty.
                                              If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This
                                              array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: matchLabels is a map of {key,value}
                                        pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions,
                                        whose key field is "key", the operator is
                                        "In", and the values array contains only "value".
                                        The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            roles:
                              description: Roles is the list of namespaced role names
                                for the user.
                              items:
                                type: string
                              type: array
                            subjects:
                              description: Subjects is the list of subject names like
                                users, user groups, and service accounts.
                              items:
                                description: Subject contains a reference to the object
                                  or user identities a role binding applies to.  This
                                  can either hold a direct API object reference, or
                                  a value for non-objects such as user and group names.
                                properties:
                                  apiGroup:
                                    description: APIGroup holds the API group of the
                                      referenced subject. Defaults to "" for ServiceAccount
                                      subjects. Defaults to "rbac.authorization.k8s.io"
                                      for User and Group subjects.
                                    type: string
                                  kind:
                                    description: Kind of object being referenced.
                                      Values defined by this API group are "User",
                                      "Group", and "ServiceAccount". If the Authorizer
                                      does not recognized the kind value, the Authorizer
                                      should report an error.
                                    type: string
                                  name:
                                    description: Name of the object being referenced.
                                    type: string
                                  namespace:
                                    description: Namespace of the referenced object.  If
                                      the object kind is non-namespace, such as "User"
                                      or "Group", and this value is not empty the
                                      Authorizer should report an error.
                                    type: string
                                required:
                                - kind
                                - name
                                type: object
                                x-kubernetes-map-type: atomic
                              type: array
                          type: object
                        generate:
                          description: Generation is used to create new resources.
                          properties:
                            apiVersion:
                              description: APIVersion specifies resource apiVersion.
                              type: string
                            clone:
                              description: Clone specifies the source resource used
                                to populate each generated resource. At most one of
                                Data or Clone can be specified. If neither are provided,
                                the generated resource will be created with default
                                data only.
                              properties:
                                name:
                                  description: Name specifies name of the resource.
                                  type: string
                                namespace:
                                  description: Namespace specifies source resource
                                    namespace.
                                  type: string
                              type: object
                            cloneList:
                              description: CloneList specifies the list of source
                                resource used to populate each generated resource.
                              properties:
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                namespace:
                                  description: Namespace specifies source resource
                                    namespace.
                                  type: string
                                selector:
                                  description: Selector is a label selector. Label
                                    keys and values in `matchLabels`. wildcard characters
                                    are not supported.
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: A label selector requirement
                                          is a selector that contains values, a key,
                                          and an operator that relates the key and
                                          values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: operator represents a key's
                                              relationship to a set of values. Valid
                                              operators are In, NotIn, Exists and
                                              DoesNotExist.
                                            type: string
                                          values:
                                            description: values is an array of string
                                              values. If the operator is In or NotIn,
                                              the values array must be non-empty.
                                              If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This
                                              array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: matchLabels is a map of {key,value}
                                        pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions,
                                        whose key field is "key", the operator is
                                        "In", and the values array contains only "value".
                                        The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            data:
                              description: Data provides the resource declaration
                                used to populate each generated resource. At most
                                one of Data or Clone must be specified. If neither
                                are provided, the generated resource will be created
                                with default data only.
                              x-kubernetes-preserve-unknown-fields: true
                            kind:
                              description: Kind specifies resource kind.
                              type: string
                            name:
                              description: Name specifies the resource name.
                              type: string
                            namespace:
                              description: Namespace specifies resource namespace.
                              type: string
                            synchronize:
                              description: Synchronize controls if generated resources
                                should be kept in-sync with their source resource.
                                If Synchronize is set to "true" changes to generated
                                resources will be overwritten with resource data from
                                Data or the resource specified in the Clone declaration.
                                Optional. Defaults to "false" if not specified.
                              type: boolean
                          type: object
                        imageExtractors:
                          additionalProperties:
                            items:
                              properties:
                                jmesPath:
                                  description: 'JMESPath is an optional JMESPath expression
                                    to apply to the image value. This is useful when
                                    the extracted image begins with a prefix like
                                    ''docker://''. The ''trim_prefix'' function may
                                    be used to trim the prefix: trim_prefix(@, ''docker://'').
                                    Note - Image digest mutation may not be used when
                                    applying a JMESPAth to an image.'
                                  type: string
                                key:
                                  description: Key is an optional name of the field
                                    within 'path' that will be used to uniquely identify
                                    an image. Note - this field MUST be unique.
                                  type: string
                                name:
                                  description: Name is the entry the image will be
                                    available under 'images.<name>' in the context.
                                    If this field is not defined, image entries will
                                    appear under 'images.custom'.
                                  type: string
                                path:
                                  description: Path is the path to the object containing
                                    the image field in a custom resource. It should
                                    be slash-separated. Each slash-separated key must
                                    be a valid YAML key or a wildcard '*'. Wildcard
                                    keys are expanded in case of arrays or objects.
                                  type: string
                                value:
                                  description: Value is an optional name of the field
                                    within 'path' that points to the image URI. This
                                    is useful when a custom 'key' is also defined.
                                  type: string
                              required:
                              - path
                              type: object
                            type: array
                          description: ImageExtractors defines a mapping from kinds
                            to ImageExtractorConfigs. This config is only valid for
                            verifyImages rules.
                          type: object
                        match:
                          description: MatchResources defines when this policy rule
                            should be applied. The match criteria can include resource
                            information (e.g. kind, name, namespace, labels) and admission
                            review request information like the user name or role.
                            At least one kind is required.
                          properties:
                            all:
                              description: All allows specifying resources which will
                                be ANDed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: Annotations is a  map of annotations
                                          (key-value pairs of type string). Annotation
                                          keys and values support the wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: 'Name is the name of the resource.
                                          The name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character). NOTE: "Name" is
                                          being deprecated in favor of "Names".'
                                        type: string
                                      names:
                                        description: Names are the names of the resources.
                                          Each name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: 'NamespaceSelector is a label
                                          selector for the resource namespace. Label
                                          keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character).Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: Namespaces is a list of namespaces
                                          names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: 'Selector is a label selector.
                                          Label keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character). Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: Subject contains a reference to
                                        the object or user identities a role binding
                                        applies to.  This can either hold a direct
                                        API object reference, or a value for non-objects
                                        such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: APIGroup holds the API group
                                            of the referenced subject. Defaults to
                                            "" for ServiceAccount subjects. Defaults
                                            to "rbac.authorization.k8s.io" for User
                                            and Group subjects.
                                          type: string
                                        kind:
                                          description: Kind of object being referenced.
                                            Values defined by this API group are "User",
                                            "Group", and "ServiceAccount". If the
                                            Authorizer does not recognized the kind
                                            value, the Authorizer should report an
                                            error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: Namespace of the referenced
                                            object.  If the object kind is non-namespace,
                                            such as "User" or "Group", and this value
                                            is not empty the Authorizer should report
                                            an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            any:
                              description: Any allows specifying resources which will
                                be ORed
                              items:
                                description: ResourceFilter allow users to "AND" or
                                  "OR" between resources
                                properties:
                                  clusterRoles:
                                    description: ClusterRoles is the list of cluster-wide
                                      role names for the user.
                                    items:
                                      type: string
                                    type: array
                                  resources:
                                    description: ResourceDescription contains information
                                      about the resource being created or modified.
                                    properties:
                                      annotations:
                                        additionalProperties:
                                          type: string
                                        description: Annotations is a  map of annotations
                                          (key-value pairs of type string). Annotation
                                          keys and values support the wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (matches at least one character).
                                        type: object
                                      kinds:
                                        description: Kinds is a list of resource kinds.
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: 'Name is the name of the resource.
                                          The name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character). NOTE: "Name" is
                                          being deprecated in favor of "Names".'
                                        type: string
                                      names:
                                        description: Names are the names of the resources.
                                          Each name supports wildcard characters "*"
                                          (matches zero or many characters) and "?"
                                          (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      namespaceSelector:
                                        description: 'NamespaceSelector is a label
                                          selector for the resource namespace. Label
                                          keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character).Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                      namespaces:
                                        description: Namespaces is a list of namespaces
                                          names. Each name supports wildcard characters
                                          "*" (matches zero or many characters) and
                                          "?" (at least one character).
                                        items:
                                          type: string
                                        type: array
                                      operations:
                                        description: Operations can contain values
                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
                                          which are used to match a specific action.
                                        items:
                                          description: AdmissionOperation can have
                                            one of the values CREATE, UPDATE, CONNECT,
                                            DELETE, which are used to match a specific
                                            action.
                                          enum:
                                          - CREATE
                                          - CONNECT
                                          - UPDATE
                                          - DELETE
                                          type: string
                                        type: array
                                      selector:
                                        description: 'Selector is a label selector.
                                          Label keys and values in `matchLabels` support
                                          the wildcard characters `*` (matches zero
                                          or many characters) and `?` (matches one
                                          character). Wildcards allows writing label
                                          selectors like ["storage.k8s.io/*": "*"].
                                          Note that using ["*" : "*"] matches any
                                          key and value but does not match an empty
                                          label set.'
                                        properties:
                                          matchExpressions:
                                            description: matchExpressions is a list
                                              of label selector requirements. The
                                              requirements are ANDed.
                                            items:
                                              description: A label selector requirement
                                                is a selector that contains values,
                                                a key, and an operator that relates
                                                the key and values.
                                              properties:
                                                key:
                                                  description: key is the label key
                                                    that the selector applies to.
                                                  type: string
                                                operator:
                                                  description: operator represents
                                                    a key's relationship to a set
                                                    of values. Valid operators are
                                                    In, NotIn, Exists and DoesNotExist.
                                                  type: string
                                                values:
                                                  description: values is an array
                                                    of string values. If the operator
                                                    is In or NotIn, the values array
                                                    must be non-empty. If the operator
                                                    is Exists or DoesNotExist, the
                                                    values array must be empty. This
                                                    array is replaced during a strategic
                                                    merge patch.
                                                  items:
                                                    type: string
                                                  type: array
                                              required:
                                              - key
                                              - operator
                                              type: object
                                            type: array
                                          matchLabels:
                                            additionalProperties:
                                              type: string
                                            description: matchLabels is a map of {key,value}
                                              pairs. A single {key,value} in the matchLabels
                                              map is equivalent to an element of matchExpressions,
                                              whose key field is "key", the operator
                                              is "In", and the values array contains
                                              only "value". The requirements are ANDed.
                                            type: object
                                        type: object
                                        x-kubernetes-map-type: atomic
                                    type: object
                                  roles:
                                    description: Roles is the list of namespaced role
                                      names for the user.
                                    items:
                                      type: string
                                    type: array
                                  subjects:
                                    description: Subjects is the list of subject names
                                      like users, user groups, and service accounts.
                                    items:
                                      description: Subject contains a reference to
                                        the object or user identities a role binding
                                        applies to.  This can either hold a direct
                                        API object reference, or a value for non-objects
                                        such as user and group names.
                                      properties:
                                        apiGroup:
                                          description: APIGroup holds the API group
                                            of the referenced subject. Defaults to
                                            "" for ServiceAccount subjects. Defaults
                                            to "rbac.authorization.k8s.io" for User
                                            and Group subjects.
                                          type: string
                                        kind:
                                          description: Kind of object being referenced.
                                            Values defined by this API group are "User",
                                            "Group", and "ServiceAccount". If the
                                            Authorizer does not recognized the kind
                                            value, the Authorizer should report an
                                            error.
                                          type: string
                                        name:
                                          description: Name of the object being referenced.
                                          type: string
                                        namespace:
                                          description: Namespace of the referenced
                                            object.  If the object kind is non-namespace,
                                            such as "User" or "Group", and this value
                                            is not empty the Authorizer should report
                                            an error.
                                          type: string
                                      required:
                                      - kind
                                      - name
                                      type: object
                                      x-kubernetes-map-type: atomic
                                    type: array
                                type: object
                              type: array
                            clusterRoles:
                              description: ClusterRoles is the list of cluster-wide
                                role names for the user.
                              items:
                                type: string
                              type: array
                            resources:
                              description: ResourceDescription contains information
                                about the resource being created or modified. Requires
                                at least one tag to be specified when under MatchResources.
                                Specifying ResourceDescription directly under match
                                is being deprecated. Please specify under "any" or
                                "all" instead.
                              properties:
                                annotations:
                                  additionalProperties:
                                    type: string
                                  description: Annotations is a  map of annotations
                                    (key-value pairs of type string). Annotation keys
                                    and values support the wildcard characters "*"
                                    (matches zero or many characters) and "?" (matches
                                    at least one character).
                                  type: object
                                kinds:
                                  description: Kinds is a list of resource kinds.
                                  items:
                                    type: string
                                  type: array
                                name:
                                  description: 'Name is the name of the resource.
                                    The name supports wildcard characters "*" (matches
                                    zero or many characters) and "?" (at least one
                                    character). NOTE: "Name" is being deprecated in
                                    favor of "Names".'
                                  type: string
                                names:
                                  description: Names are the names of the resources.
                                    Each name supports wildcard characters "*" (matches
                                    zero or many characters) and "?" (at least one
                                    character).
                                  items:
                                    type: string
                                  type: array
                                namespaceSelector:
                                  description: 'NamespaceSelector is a label selector
                                    for the resource namespace. Label keys and values
                                    in `matchLabels` support the wildcard characters
                                    `*` (matches zero or many characters) and `?`
                                    (matches one character).Wildcards allows writing
                                    label selectors like ["storage.k8s.io/*": "*"].
                                    Note that using ["*" : "*"] matches any key and
                                    value but does not match an empty label set.'
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: A label selector requirement
                                          is a selector that contains values, a key,
                                          and an operator that relates the key and
                                          values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: operator represents a key's
                                              relationship to a set of values. Valid
                                              operators are In, NotIn, Exists and
                                              DoesNotExist.
                                            type: string
                                          values:
                                            description: values is an array of string
                                              values. If the operator is In or NotIn,
                                              the values array must be non-empty.
                                              If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This
                                              array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: matchLabels is a map of {key,value}
                                        pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions,
                                        whose key field is "key", the operator is
                                        "In", and the values array contains only "value".
                                        The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                                namespaces:
                                  description: Namespaces is a list of namespaces
                                    names. Each name supports wildcard characters
                                    "*" (matches zero or many characters) and "?"
                                    (at least one character).
                                  items:
                                    type: string
                                  type: array
                                operations:
                                  description: Operations can contain values ["CREATE,
                                    "UPDATE", "CONNECT", "DELETE"], which are used
                                    to match a specific action.
                                  items:
                                    description: AdmissionOperation can have one of
                                      the values CREATE, UPDATE, CONNECT, DELETE,
                                      which are used to match a specific action.
                                    enum:
                                    - CREATE
                                    - CONNECT
                                    - UPDATE
                                    - DELETE
                                    type: string
                                  type: array
                                selector:
                                  description: 'Selector is a label selector. Label
                                    keys and values in `matchLabels` support the wildcard
                                    characters `*` (matches zero or many characters)
                                    and `?` (matches one character). Wildcards allows
                                    writing label selectors like ["storage.k8s.io/*":
                                    "*"]. Note that using ["*" : "*"] matches any
                                    key and value but does not match an empty label
                                    set.'
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: A label selector requirement
                                          is a selector that contains values, a key,
                                          and an operator that relates the key and
                                          values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: operator represents a key's
                                              relationship to a set of values. Valid
                                              operators are In, NotIn, Exists and
                                              DoesNotExist.
                                            type: string
                                          values:
                                            description: values is an array of string
                                              values. If the operator is In or NotIn,
                                              the values array must be non-empty.
                                              If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This
                                              array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                    matchLabels:
                                      additionalProperties:
                                        type: string
                                      description: matchLabels is a map of {key,value}
                                        pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions,
                                        whose key field is "key", the operator is
                                        "In", and the values array contains only "value".
                                        The requirements are ANDed.
                                      type: object
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            roles:
                              description: Roles is the list of namespaced role names
                                for the user.
                              items:
                                type: string
                              type: array
                            subjects:
                              description: Subjects is the list of subject names like
                                users, user groups, and service accounts.
                              items:
                                description: Subject contains a reference to the object
                                  or user identities a role binding applies to.  This
                                  can either hold a direct API object reference, or
                                  a value for non-objects such as user and group names.
                                properties:
                                  apiGroup:
                                    description: APIGroup holds the API group of the
                                      referenced subject. Defaults to "" for ServiceAccount
                                      subjects. Defaults to "rbac.authorization.k8s.io"
                                      for User and Group subjects.
                                    type: string
                                  kind:
                                    description: Kind of object being referenced.
                                      Values defined by this API group are "User",
                                      "Group", and "ServiceAccount". If the Authorizer
                                      does not recognized the kind value, the Authorizer
                                      should report an error.
                                    type: string
                                  name:
                                    description: Name of the object being referenced.
                                    type: string
                                  namespace:
                                    description: Namespace of the referenced object.  If
                                      the object kind is non-namespace, such as "User"
                                      or "Group", and this value is not empty the
                                      Authorizer should report an error.
                                    type: string
                                required:
                                - kind
                                - name
                                type: object
                                x-kubernetes-map-type: atomic
                              type: array
                          type: object
                        mutate:
                          description: Mutation is used to modify matching resources.
                          properties:
                            foreach:
                              description: ForEach applies mutation rules to a list
                                of sub-elements by creating a context for each entry
                                in the list and looping over it to apply the specified
                                logic.
                              items:
                                description: ForEachMutation applies mutation rules
                                  to a list of sub-elements by creating a context
                                  for each entry in the list and looping over it to
                                  apply the specified logic.
                                properties:
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: ContextEntry adds variables and
                                        data sources to a rule Context. Either a ConfigMap
                                        reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: APICall is an HTTP request
                                            to the Kubernetes API server, or other
                                            JSON web service. The data returned is
                                            stored in the context with the name for
                                            the context entry.
                                          properties:
                                            data:
                                              description: Data specifies the POST
                                                data sent to the server.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the JSON response
                                                returned from the server. For example
                                                a JMESPath of "items | length(@)"
                                                applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments"
                                                will return the total count of deployments
                                                across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST).
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: Service is an API call
                                                to a JSON web service
                                              properties:
                                                caBundle:
                                                  description: CABundle is a PEM encoded
                                                    CA bundle which will be used to
                                                    validate the server certificate.
                                                  type: string
                                                url:
                                                  description: URL is the JSON web
                                                    service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: URLPath is the URL path
                                                to be used in the HTTP GET or POST
                                                request to the Kubernetes API server
                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format
                                                used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        imageRegistry:
                                          description: ImageRegistry defines requests
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry
                                                  type: boolean
                                                providers:
                                                  description: 'Providers specifies
                                                    a list of OCI Registry names,
                                                    whose authentication providers
                                                    are provided It can be of one
                                                    of these values: AWS, ACR, GCP,
                                                    GHCR'
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: Secrets specifies a
                                                    list of secrets that are provided
                                                    for credentials Secrets must live
                                                    in the Kyverno namespace
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the ImageData struct
                                                returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: 'Reference is image reference
                                                to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest'
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: Default is an optional
                                                arbitrary JSON object that the variable
                                                may take if the JMESPath expression
                                                evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JMESPath Expression that can be used
                                                to transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  foreach:
                                    description: Foreach declares a nested foreach
                                      iterator
                                    x-kubernetes-preserve-unknown-fields: true
                                  list:
                                    description: List specifies a JMESPath expression
                                      that results in one or more elements to which
                                      the validation logic is applied.
                                    type: string
                                  order:
                                    description: Order defines the iteration order
                                      on the list. Can be Ascending to iterate from
                                      first to last element or Descending to iterate
                                      in from last to first element.
                                    enum:
                                    - Ascending
                                    - Descending
                                    type: string
                                  patchStrategicMerge:
                                    description: PatchStrategicMerge is a strategic
                                      merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                                    x-kubernetes-preserve-unknown-fields: true
                                  patchesJson6902:
                                    description: PatchesJSON6902 is a list of RFC
                                      6902 JSON Patch declarations used to modify
                                      resources. See https://tools.ietf.org/html/rfc6902
                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                                    type: string
                                  preconditions:
                                    description: 'AnyAllConditions are used to determine
                                      if a policy rule should be applied by evaluating
                                      a set of conditions. The declaration can contain
                                      nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
                                    properties:
                                      all:
                                        description: AllConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, all of the conditions
                                          need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: AnyConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, at least one of
                                          the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              type: array
                            patchStrategicMerge:
                              description: PatchStrategicMerge is a strategic merge
                                patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
                              x-kubernetes-preserve-unknown-fields: true
                            patchesJson6902:
                              description: PatchesJSON6902 is a list of RFC 6902 JSON
                                Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
                              type: string
                            targets:
                              description: Targets defines the target resources to
                                be mutated.
                              items:
                                description: TargetResourceSpec defines targets for
                                  mutating existing resources.
                                properties:
                                  apiVersion:
                                    description: APIVersion specifies resource apiVersion.
                                    type: string
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: ContextEntry adds variables and
                                        data sources to a rule Context. Either a ConfigMap
                                        reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: APICall is an HTTP request
                                            to the Kubernetes API server, or other
                                            JSON web service. The data returned is
                                            stored in the context with the name for
                                            the context entry.
                                          properties:
                                            data:
                                              description: Data specifies the POST
                                                data sent to the server.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the JSON response
                                                returned from the server. For example
                                                a JMESPath of "items | length(@)"
                                                applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments"
                                                will return the total count of deployments
                                                across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST).
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: Service is an API call
                                                to a JSON web service
                                              properties:
                                                caBundle:
                                                  description: CABundle is a PEM encoded
                                                    CA bundle which will be used to
                                                    validate the server certificate.
                                                  type: string
                                                url:
                                                  description: URL is the JSON web
                                                    service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: URLPath is the URL path
                                                to be used in the HTTP GET or POST
                                                request to the Kubernetes API server
                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format
                                                used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        imageRegistry:
                                          description: ImageRegistry defines requests
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry
                                                  type: boolean
                                                providers:
                                                  description: 'Providers specifies
                                                    a list of OCI Registry names,
                                                    whose authentication providers
                                                    are provided It can be of one
                                                    of these values: AWS, ACR, GCP,
                                                    GHCR'
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: Secrets specifies a
                                                    list of secrets that are provided
                                                    for credentials Secrets must live
                                                    in the Kyverno namespace
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the ImageData struct
                                                returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: 'Reference is image reference
                                                to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest'
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: Default is an optional
                                                arbitrary JSON object that the variable
                                                may take if the JMESPath expression
                                                evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JMESPath Expression that can be used
                                                to transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  kind:
                                    description: Kind specifies resource kind.
                                    type: string
                                  name:
                                    description: Name specifies the resource name.
                                    type: string
                                  namespace:
                                    description: Namespace specifies resource namespace.
                                    type: string
                                  preconditions:
                                    description: 'Preconditions are used to determine
                                      if a policy rule should be applied by evaluating
                                      a set of conditions. The declaration can contain
                                      nested `any` or `all` statements. A direct list
                                      of conditions (without `any` or `all` statements
                                      is supported for backwards compatibility but
                                      will be deprecated in the next major release.
                                      See: https://kyverno.io/docs/writing-policies/preconditions/'
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              type: array
                          type: object
                        name:
                          description: Name is a label to identify the rule, It must
                            be unique within the policy.
                          maxLength: 63
                          type: string
                        preconditions:
                          description: 'Preconditions are used to determine if a policy
                            rule should be applied by evaluating a set of conditions.
                            The declaration can contain nested `any` or `all` statements.
                            A direct list of conditions (without `any` or `all` statements
                            is supported for backwards compatibility but will be deprecated
                            in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
                          x-kubernetes-preserve-unknown-fields: true
                        validate:
                          description: Validation is used to validate matching resources.
                          properties:
                            anyPattern:
                              description: AnyPattern specifies list of validation
                                patterns. At least one of the patterns must be satisfied
                                for the validation rule to succeed.
                              x-kubernetes-preserve-unknown-fields: true
                            cel:
                              description: CEL allows validation checks using the
                                Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
                              properties:
                                auditAnnotations:
                                  description: AuditAnnotations contains CEL expressions
                                    which are used to produce audit annotations for
                                    the audit event of the API request.
                                  items:
                                    description: AuditAnnotation describes how to
                                      produce an audit annotation for an API request.
                                    properties:
                                      key:
                                        description: "key specifies the audit annotation
                                          key. The audit annotation keys of a ValidatingAdmissionPolicy
                                          must be unique. The key must be a qualified
                                          name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more
                                          than 63 bytes in length. \n The key is combined
                                          with the resource name of the ValidatingAdmissionPolicy
                                          to construct an audit annotation key: \"{ValidatingAdmissionPolicy
                                          name}/{key}\". \n If an admission webhook
                                          uses the same resource name as this ValidatingAdmissionPolicy
                                          and the same audit annotation key, the annotation
                                          key will be identical. In this case, the
                                          first annotation written with the key will
                                          be included in the audit event and all subsequent
                                          annotations with the same key will be discarded.
                                          \n Required."
                                        type: string
                                      valueExpression:
                                        description: "valueExpression represents the
                                          expression which is evaluated by CEL to
                                          produce an audit annotation value. The expression
                                          must evaluate to either a string or null
                                          value. If the expression evaluates to a
                                          string, the audit annotation is included
                                          with the string value. If the expression
                                          evaluates to null or empty string the audit
                                          annotation will be omitted. The valueExpression
                                          may be no longer than 5kb in length. If
                                          the result of the valueExpression is more
                                          than 10kb in length, it will be truncated
                                          to 10kb. \n If multiple ValidatingAdmissionPolicyBinding
                                          resources match an API request, then the
                                          valueExpression will be evaluated for each
                                          binding. All unique values produced by the
                                          valueExpressions will be joined together
                                          in a comma-separated list. \n Required."
                                        type: string
                                    required:
                                    - key
                                    - valueExpression
                                    type: object
                                  type: array
                                expressions:
                                  description: Expressions is a list of CELExpression
                                    types.
                                  items:
                                    description: Validation specifies the CEL expression
                                      which is used to apply the validation.
                                    properties:
                                      expression:
                                        description: "Expression represents the expression
                                          which will be evaluated by CEL. ref: https://github.com/google/cel-spec
                                          CEL expressions have access to the contents
                                          of the API request/response, organized into
                                          CEL variables as well as some other useful
                                          variables: \n - 'object' - The object from
                                          the incoming request. The value is null
                                          for DELETE requests. - 'oldObject' - The
                                          existing object. The value is null for CREATE
                                          requests. - 'request' - Attributes of the
                                          API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
                                          - 'params' - Parameter resource referred
                                          to by the policy binding being evaluated.
                                          Only populated if the policy has a ParamKind.
                                          - 'authorizer' - A CEL Authorizer. May be
                                          used to perform authorization checks for
                                          the principal (user or service account)
                                          of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
                                          - 'authorizer.requestResource' - A CEL ResourceCheck
                                          constructed from the 'authorizer' and configured
                                          with the request resource. \n The `apiVersion`,
                                          `kind`, `metadata.name` and `metadata.generateName`
                                          are always accessible from the root of the
                                          object. No other metadata properties are
                                          accessible. \n Only property names of the
                                          form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are
                                          accessible. Accessible property names are
                                          escaped according to the following rules
                                          when accessed in the expression: - '__'
                                          escapes to '__underscores__' - '.' escapes
                                          to '__dot__' - '-' escapes to '__dash__'
                                          - '/' escapes to '__slash__' - Property
                                          names that exactly match a CEL RESERVED
                                          keyword escape to '__{keyword}__'. The keywords
                                          are: \"true\", \"false\", \"null\", \"in\",
                                          \"as\", \"break\", \"const\", \"continue\",
                                          \"else\", \"for\", \"function\", \"if\",
                                          \"import\", \"let\", \"loop\", \"package\",
                                          \"namespace\", \"return\". Examples: - Expression
                                          accessing a property named \"namespace\":
                                          {\"Expression\": \"object.__namespace__
                                          > 0\"} - Expression accessing a property
                                          named \"x-prop\": {\"Expression\": \"object.x__dash__prop
                                          > 0\"} - Expression accessing a property
                                          named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
                                          > 0\"} \n Equality on arrays with list type
                                          of 'set' or 'map' ignores element order,
                                          i.e. [1, 2] == [2, 1]. Concatenation on
                                          arrays with x-kubernetes-list-type use the
                                          semantics of the list type: - 'set': `X
                                          + Y` performs a union where the array positions
                                          of all elements in `X` are preserved and
                                          non-intersecting elements in `Y` are appended,
                                          retaining their partial order. - 'map':
                                          `X + Y` performs a merge where the array
                                          positions of all keys in `X` are preserved
                                          but the values are overwritten by values
                                          in `Y` when the key sets of `X` and `Y`
                                          intersect. Elements in `Y` with non-intersecting
                                          keys are appended, retaining their partial
                                          order. Required."
                                        type: string
                                      message:
                                        description: 'Message represents the message
                                          displayed when validation fails. The message
                                          is required if the Expression contains line
                                          breaks. The message must not contain line
                                          breaks. If unset, the message is "failed
                                          rule: {Rule}". e.g. "must be a URL with
                                          the host matching spec.host" If the Expression
                                          contains line breaks. Message is required.
                                          The message must not contain line breaks.
                                          If unset, the message is "failed Expression:
                                          {Expression}".'
                                        type: string
                                      messageExpression:
                                        description: 'messageExpression declares a
                                          CEL expression that evaluates to the validation
                                          failure message that is returned when this
                                          rule fails. Since messageExpression is used
                                          as a failure message, it must evaluate to
                                          a string. If both message and messageExpression
                                          are present on a validation, then messageExpression
                                          will be used if validation fails. If messageExpression
                                          results in a runtime error, the runtime
                                          error is logged, and the validation failure
                                          message is produced as if the messageExpression
                                          field were unset. If messageExpression evaluates
                                          to an empty string, a string with only spaces,
                                          or a string that contains line breaks, then
                                          the validation failure message will also
                                          be produced as if the messageExpression
                                          field were unset, and the fact that messageExpression
                                          produced an empty string/string with only
                                          spaces/string with line breaks will be logged.
                                          messageExpression has access to all the
                                          same variables as the `expression` except
                                          for ''authorizer'' and ''authorizer.requestResource''.
                                          Example: "object.x must be less than max
                                          ("+string(params.max)+")"'
                                        type: string
                                      reason:
                                        description: 'Reason represents a machine-readable
                                          description of why this validation failed.
                                          If this is the first validation in the list
                                          to fail, this reason, as well as the corresponding
                                          HTTP response code, are used in the HTTP
                                          response to the client. The currently supported
                                          reasons are: "Unauthorized", "Forbidden",
                                          "Invalid", "RequestEntityTooLarge". If not
                                          set, StatusReasonInvalid is used in the
                                          response to the client.'
                                        type: string
                                    required:
                                    - expression
                                    type: object
                                  type: array
                                paramKind:
                                  description: ParamKind is a tuple of Group Kind
                                    and Version.
                                  properties:
                                    apiVersion:
                                      description: APIVersion is the API group version
                                        the resources belong to. In format of "group/version".
                                        Required.
                                      type: string
                                    kind:
                                      description: Kind is the API kind the resources
                                        belong to. Required.
                                      type: string
                                  type: object
                                  x-kubernetes-map-type: atomic
                                paramRef:
                                  description: ParamRef references a parameter resource.
                                  properties:
                                    name:
                                      description: Name of the resource being referenced.
                                      type: string
                                    namespace:
                                      description: Namespace of the referenced resource.
                                        Should be empty for the cluster-scoped resources
                                      type: string
                                  type: object
                                  x-kubernetes-map-type: atomic
                              type: object
                            deny:
                              description: Deny defines conditions used to pass or
                                fail a validation rule.
                              properties:
                                conditions:
                                  description: 'Multiple conditions can be declared
                                    under an `any` or `all` statement. A direct list
                                    of conditions (without `any` or `all` statements)
                                    is also supported for backwards compatibility
                                    but will be deprecated in the next major release.
                                    See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
                                  x-kubernetes-preserve-unknown-fields: true
                              type: object
                            foreach:
                              description: ForEach applies validate rules to a list
                                of sub-elements by creating a context for each entry
                                in the list and looping over it to apply the specified
                                logic.
                              items:
                                description: ForEachValidation applies validate rules
                                  to a list of sub-elements by creating a context
                                  for each entry in the list and looping over it to
                                  apply the specified logic.
                                properties:
                                  anyPattern:
                                    description: AnyPattern specifies list of validation
                                      patterns. At least one of the patterns must
                                      be satisfied for the validation rule to succeed.
                                    x-kubernetes-preserve-unknown-fields: true
                                  context:
                                    description: Context defines variables and data
                                      sources that can be used during rule execution.
                                    items:
                                      description: ContextEntry adds variables and
                                        data sources to a rule Context. Either a ConfigMap
                                        reference or a APILookup must be provided.
                                      properties:
                                        apiCall:
                                          description: APICall is an HTTP request
                                            to the Kubernetes API server, or other
                                            JSON web service. The data returned is
                                            stored in the context with the name for
                                            the context entry.
                                          properties:
                                            data:
                                              description: Data specifies the POST
                                                data sent to the server.
                                              items:
                                                description: RequestData contains
                                                  the HTTP POST data
                                                properties:
                                                  key:
                                                    description: Key is a unique identifier
                                                      for the data value
                                                    type: string
                                                  value:
                                                    description: Value is the data
                                                      value
                                                    x-kubernetes-preserve-unknown-fields: true
                                                required:
                                                - key
                                                - value
                                                type: object
                                              type: array
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the JSON response
                                                returned from the server. For example
                                                a JMESPath of "items | length(@)"
                                                applied to the API server response
                                                for the URLPath "/apis/apps/v1/deployments"
                                                will return the total count of deployments
                                                across all namespaces.
                                              type: string
                                            method:
                                              default: GET
                                              description: Method is the HTTP request
                                                type (GET or POST).
                                              enum:
                                              - GET
                                              - POST
                                              type: string
                                            service:
                                              description: Service is an API call
                                                to a JSON web service
                                              properties:
                                                caBundle:
                                                  description: CABundle is a PEM encoded
                                                    CA bundle which will be used to
                                                    validate the server certificate.
                                                  type: string
                                                url:
                                                  description: URL is the JSON web
                                                    service URL. A typical form is
                                                    `https://{service}.{namespace}:{port}/{path}`.
                                                  type: string
                                              required:
                                              - url
                                              type: object
                                            urlPath:
                                              description: URLPath is the URL path
                                                to be used in the HTTP GET or POST
                                                request to the Kubernetes API server
                                                (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
                                                The format required is the same format
                                                used by the `kubectl get --raw` command.
                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
                                                for details.
                                              type: string
                                          type: object
                                        configMap:
                                          description: ConfigMap is the ConfigMap
                                            reference.
                                          properties:
                                            name:
                                              description: Name is the ConfigMap name.
                                              type: string
                                            namespace:
                                              description: Namespace is the ConfigMap
                                                namespace.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        imageRegistry:
                                          description: ImageRegistry defines requests
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
                                            imageRegistryCredentials:
                                              description: ImageRegistryCredentials
                                                provides credentials that will be
                                                used for authentication with registry
                                              properties:
                                                allowInsecureRegistry:
                                                  description: AllowInsecureRegistry
                                                    allows insecure access to a registry
                                                  type: boolean
                                                providers:
                                                  description: 'Providers specifies
                                                    a list of OCI Registry names,
                                                    whose authentication providers
                                                    are provided It can be of one
                                                    of these values: AWS, ACR, GCP,
                                                    GHCR'
                                                  items:
                                                    description: ImageRegistryCredentialsProvidersType
                                                      provides the list of credential
                                                      providers required.
                                                    enum:
                                                    - default
                                                    - amazon
                                                    - azure
                                                    - google
                                                    - github
                                                    type: string
                                                  type: array
                                                secrets:
                                                  description: Secrets specifies a
                                                    list of secrets that are provided
                                                    for credentials Secrets must live
                                                    in the Kyverno namespace
                                                  items:
                                                    type: string
                                                  type: array
                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
                                                used to transform the ImageData struct
                                                returned as a result of processing
                                                the image reference.
                                              type: string
                                            reference:
                                              description: 'Reference is image reference
                                                to a container image in the registry.
                                                Example: ghcr.io/kyverno/kyverno:latest'
                                              type: string
                                          required:
                                          - reference
                                          type: object
                                        name:
                                          description: Name is the variable name.
                                          type: string
                                        variable:
                                          description: Variable defines an arbitrary
                                            JMESPath context variable that can be
                                            defined inline.
                                          properties:
                                            default:
                                              description: Default is an optional
                                                arbitrary JSON object that the variable
                                                may take if the JMESPath expression
                                                evaluates to nil
                                              x-kubernetes-preserve-unknown-fields: true
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JMESPath Expression that can be used
                                                to transform the variable.
                                              type: string
                                            value:
                                              description: Value is any arbitrary
                                                JSON object representable in YAML
                                                or JSON form.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                      type: object
                                    type: array
                                  deny:
                                    description: Deny defines conditions used to pass
                                      or fail a validation rule.
                                    properties:
                                      conditions:
                                        description: 'Multiple conditions can be declared
                                          under an `any` or `all` statement. A direct
                                          list of conditions (without `any` or `all`
                                          statements) is also supported for backwards
                                          compatibility but will be deprecated in
                                          the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
                                        x-kubernetes-preserve-unknown-fields: true
                                    type: object
                                  elementScope:
                                    description: ElementScope specifies whether to
                                      use the current list element as the scope for
                                      validation. Defaults to "true" if not specified.
                                      When set to "false", "request.object" is used
                                      as the validation scope within the foreach block
                                      to allow referencing other elements in the subtree.
                                    type: boolean
                                  foreach:
                                    description: Foreach declares a nested foreach
                                      iterator
                                    x-kubernetes-preserve-unknown-fields: true
                                  list:
                                    description: List specifies a JMESPath expression
                                      that results in one or more elements to which
                                      the validation logic is applied.
                                    type: string
                                  pattern:
                                    description: Pattern specifies an overlay-style
                                      pattern used to check resources.
                                    x-kubernetes-preserve-unknown-fields: true
                                  preconditions:
                                    description: 'AnyAllConditions are used to determine
                                      if a policy rule should be applied by evaluating
                                      a set of conditions. The declaration can contain
                                      nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
                                    properties:
                                      all:
                                        description: AllConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, all of the conditions
                                          need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                      any:
                                        description: AnyConditions enable variable-based
                                          conditional rule execution. This is useful
                                          for finer control of when an rule is applied.
                                          A condition can reference object data using
                                          JMESPath notation. Here, at least one of
                                          the conditions need to pass
                                        items:
                                          description: Condition defines variable-based
                                            conditional criteria for rule execution.
                                          properties:
                                            key:
                                              description: Key is the context entry
                                                (using JMESPath) for conditional rule
                                                evaluation.
                                              x-kubernetes-preserve-unknown-fields: true
                                            message:
                                              description: Message is an optional
                                                display message
                                              type: string
                                            operator:
                                              description: 'Operator is the conditional
                                                operation to perform. Valid operators
                                                are: Equals, NotEquals, In, AnyIn,
                                                AllIn, NotIn, AnyNotIn, AllNotIn,
                                                GreaterThanOrEquals, GreaterThan,
                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                DurationGreaterThan, DurationLessThanOrEquals,
                                                DurationLessThan'
                                              enum:
                                              - Equals
                                              - NotEquals
                                              - In
                                              - AnyIn
                                              - AllIn
                                              - NotIn
                                              - AnyNotIn
                                              - AllNotIn
                                              - GreaterThanOrEquals
                                              - GreaterThan
                                              - LessThanOrEquals
                                              - LessThan
                                              - DurationGreaterThanOrEquals
                                              - DurationGreaterThan
                                              - DurationLessThanOrEquals
                                              - DurationLessThan
                                              type: string
                                            value:
                                              description: Value is the conditional
                                                value, or set of values. The values
                                                can be fixed set or can be variables
                                                declared using JMESPath.
                                              x-kubernetes-preserve-unknown-fields: true
                                          type: object
                                        type: array
                                    type: object
                                    x-kubernetes-preserve-unknown-fields: true
                                type: object
                              type: array
                            manifests:
                              description: Manifest specifies conditions for manifest
                                verification
                              properties:
                                annotationDomain:
                                  description: AnnotationDomain is custom domain of
                                    annotation for message and signature. Default
                                    is "cosign.sigstore.dev".
                                  type: string
                                attestors:
                                  description: Attestors specified the required attestors
                                    (i.e. authorities)
                                  items:
                                    properties:
                                      count:
                                        description: Count specifies the required
                                          number of entries that must match. If the
                                          count is null, all entries must match (a
                                          logical AND). If the count is 1, at least
                                          one entry must match (a logical OR). If
                                          the count contains a value N, then N must
                                          be less than or equal to the size of entries,
                                          and at least N entries must match.
                                        minimum: 1
                                        type: integer
                                      entries:
                                        description: Entries contains the available
                                          attestors. An attestor can be a static key,
                                          attributes for keyless verification, or
                                          a nested attestor declaration.
                                        items:
                                          properties:
                                            annotations:
                                              additionalProperties:
                                                type: string
                                              description: Annotations are used for
                                                image verification. Every specified
                                                key-value pair must exist and match
                                                in the verified payload. The payload
                                                may contain other key-value pairs.
                                              type: object
                                            attestor:
                                              description: Attestor is a nested AttestorSet
                                                used to specify a more complex set
                                                of match authorities
                                              x-kubernetes-preserve-unknown-fields: true
                                            certificates:
                                              description: Certificates specifies
                                                one or more certificates
                                              properties:
                                                cert:
                                                  description: Certificate is an optional
                                                    PEM encoded public certificate.
                                                  type: string
                                                certChain:
                                                  description: CertificateChain is
                                                    an optional PEM encoded set of
                                                    certificates used to verify
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    Rekor is not checked. If an empty
                                                    object is provided the public
                                                    instance of Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                              type: object
                                            keyless:
                                              description: Keyless is a set of attribute
                                                used to verify a Sigstore keyless
                                                attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                              properties:
                                                additionalExtensions:
                                                  additionalProperties:
                                                    type: string
                                                  description: AdditionalExtensions
                                                    are certificate-extensions used
                                                    for keyless signing.
                                                  type: object
                                                issuer:
                                                  description: Issuer is the certificate
                                                    issuer used for keyless signing.
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    Rekor is not checked and a root
                                                    certificate chain is expected
                                                    instead. If an empty object is
                                                    provided the public instance of
                                                    Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                                roots:
                                                  description: Roots is an optional
                                                    set of PEM encoded trusted root
                                                    certificates. If not provided,
                                                    the system roots are used.
                                                  type: string
                                                subject:
                                                  description: Subject is the verified
                                                    identity used for keyless signing,
                                                    for example the email address
                                                  type: string
                                              type: object
                                            keys:
                                              description: Keys specifies one or more
                                                public keys
                                              properties:
                                                kms:
                                                  description: 'KMS provides the URI
                                                    to the public key stored in a
                                                    Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                                  type: string
                                                publicKeys:
                                                  description: Keys is a set of X.509
                                                    public keys used to verify image
                                                    signatures. The keys can be directly
                                                    specified or can be a variable
                                                    reference to a key specified in
                                                    a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
                                                    or reference a standard Kubernetes
                                                    Secret elsewhere in the cluster
                                                    by specifying it in the format
                                                    "k8s://<namespace>/<secret_name>".
                                                    The named Secret must specify
                                                    a key `cosign.pub` containing
                                                    the public key used for verification,
                                                    (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                    When multiple keys are specified
                                                    each key is processed as a separate
                                                    staticKey entry (.attestors[*].entries.keys)
                                                    within the set of attestors and
                                                    the count is applied across the
                                                    keys.
                                                  type: string
                                                rekor:
                                                  description: Rekor provides configuration
                                                    for the Rekor transparency log
                                                    service. If the value is nil,
                                                    or an empty object is provided,
                                                    the public instance of Rekor (https://rekor.sigstore.dev)
                                                    is used.
                                                  properties:
                                                    ignoreSCT:
                                                      description: IgnoreSCT requires
                                                        that a certificate contain
                                                        an embedded SCT during verification.
                                                        An SCT is proof of inclusion
                                                        in a certificate transparency
                                                        log.
                                                      type: boolean
                                                    ignoreTlog:
                                                      description: IgnoreTlog skip
                                                        tlog verification
                                                      type: boolean
                                                    pubkey:
                                                      description: RekorPubKey is
                                                        an optional PEM encoded public
                                                        key to use for a custom Rekor.
                                                        If set, is used to validate
                                                        signatures on log entries
                                                        from Rekor.
                                                      type: string
                                                    url:
                                                      description: URL is the address
                                                        of the transparency log. Defaults
                                                        to the public log https://rekor.sigstore.dev.
                                                      type: string
                                                  required:
                                                  - url
                                                  type: object
                                                secret:
                                                  description: Reference to a Secret
                                                    resource that contains a public
                                                    key
                                                  properties:
                                                    name:
                                                      description: Name of the secret.
                                                        The provided secret must contain
                                                        a key named cosign.pub.
                                                      type: string
                                                    namespace:
                                                      description: Namespace name
                                                        where the Secret exists.
                                                      type: string
                                                  required:
                                                  - name
                                                  - namespace
                                                  type: object
                                                signatureAlgorithm:
                                                  default: sha256
                                                  description: Specify signature algorithm
                                                    for public keys. Supported values
                                                    are sha256 and sha512
                                                  type: string
                                              type: object
                                            repository:
                                              description: Repository is an optional
                                                alternate OCI repository to use for
                                                signatures and attestations that match
                                                this rule. If specified Repository
                                                will override other OCI image repository
                                                locations for this Attestor.
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                dryRun:
                                  description: DryRun configuration
                                  properties:
                                    enable:
                                      type: boolean
                                    namespace:
                                      type: string
                                  type: object
                                ignoreFields:
                                  description: Fields which will be ignored while
                                    comparing manifests.
                                  items:
                                    properties:
                                      fields:
                                        items:
                                          type: string
                                        type: array
                                      objects:
                                        items:
                                          properties:
                                            group:
                                              type: string
                                            kind:
                                              type: string
                                            name:
                                              type: string
                                            namespace:
                                              type: string
                                            version:
                                              type: string
                                          type: object
                                        type: array
                                    type: object
                                  type: array
                                repository:
                                  description: Repository is an optional alternate
                                    OCI repository to use for resource bundle reference.
                                    The repository can be overridden per Attestor
                                    or Attestation.
                                  type: string
                              type: object
                            message:
                              description: Message specifies a custom message to be
                                displayed on failure.
                              type: string
                            pattern:
                              description: Pattern specifies an overlay-style pattern
                                used to check resources.
                              x-kubernetes-preserve-unknown-fields: true
                            podSecurity:
                              description: PodSecurity applies exemptions for Kubernetes
                                Pod Security admission by specifying exclusions for
                                Pod Security Standards controls.
                              properties:
                                exclude:
                                  description: Exclude specifies the Pod Security
                                    Standard controls to be excluded.
                                  items:
                                    description: PodSecurityStandard specifies the
                                      Pod Security Standard controls to be excluded.
                                    properties:
                                      controlName:
                                        description: 'ControlName specifies the name
                                          of the Pod Security Standard control. See:
                                          https://kubernetes.io/docs/concepts/security/pod-security-standards/'
                                        enum:
                                        - HostProcess
                                        - Host Namespaces
                                        - Privileged Containers
                                        - Capabilities
                                        - HostPath Volumes
                                        - Host Ports
                                        - AppArmor
                                        - SELinux
                                        - /proc Mount Type
                                        - Seccomp
                                        - Sysctls
                                        - Volume Types
                                        - Privilege Escalation
                                        - Running as Non-root
                                        - Running as Non-root user
                                        type: string
                                      images:
                                        description: 'Images selects matching containers
                                          and applies the container level PSS. Each
                                          image is the image name consisting of the
                                          registry address, repository, image, and
                                          tag. Empty list matches no containers, PSS
                                          checks are applied at the pod level only.
                                          Wildcards (''*'' and ''?'') are allowed.
                                          See: https://kubernetes.io/docs/concepts/containers/images.'
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - controlName
                                    type: object
                                  type: array
                                level:
                                  description: Level defines the Pod Security Standard
                                    level to be applied to workloads. Allowed values
                                    are privileged, baseline, and restricted.
                                  enum:
                                  - privileged
                                  - baseline
                                  - restricted
                                  type: string
                                version:
                                  description: Version defines the Pod Security Standard
                                    versions that Kubernetes supports. Allowed values
                                    are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
                                    v1.25, v1.26, latest. Defaults to latest.
                                  enum:
                                  - v1.19
                                  - v1.20
                                  - v1.21
                                  - v1.22
                                  - v1.23
                                  - v1.24
                                  - v1.25
                                  - v1.26
                                  - latest
                                  type: string
                              type: object
                          type: object
                        verifyImages:
                          description: VerifyImages is used to verify image signatures
                            and mutate them to add a digest
                          items:
                            description: ImageVerification validates that images that
                              match the specified pattern are signed with the supplied
                              public key. Once the image is verified it is mutated
                              to include the SHA digest retrieved during the registration.
                            properties:
                              additionalExtensions:
                                additionalProperties:
                                  type: string
                                description: AdditionalExtensions are certificate-extensions
                                  used for keyless signing. Deprecated.
                                type: object
                              annotations:
                                additionalProperties:
                                  type: string
                                description: Annotations are used for image verification.
                                  Every specified key-value pair must exist and match
                                  in the verified payload. The payload may contain
                                  other key-value pairs. Deprecated. Use annotations
                                  per Attestor instead.
                                type: object
                              attestations:
                                description: Attestations are optional checks for
                                  signed in-toto Statements used to verify the image.
                                  See https://github.com/in-toto/attestation. Kyverno
                                  fetches signed attestations from the OCI registry
                                  and decodes them into a list of Statement declarations.
                                items:
                                  description: Attestation are checks for signed in-toto
                                    Statements that are used to verify the image.
                                    See https://github.com/in-toto/attestation. Kyverno
                                    fetches signed attestations from the OCI registry
                                    and decodes them into a list of Statements.
                                  properties:
                                    attestors:
                                      description: Attestors specify the required
                                        attestors (i.e. authorities)
                                      items:
                                        properties:
                                          count:
                                            description: Count specifies the required
                                              number of entries that must match. If
                                              the count is null, all entries must
                                              match (a logical AND). If the count
                                              is 1, at least one entry must match
                                              (a logical OR). If the count contains
                                              a value N, then N must be less than
                                              or equal to the size of entries, and
                                              at least N entries must match.
                                            minimum: 1
                                            type: integer
                                          entries:
                                            description: Entries contains the available
                                              attestors. An attestor can be a static
                                              key, attributes for keyless verification,
                                              or a nested attestor declaration.
                                            items:
                                              properties:
                                                annotations:
                                                  additionalProperties:
                                                    type: string
                                                  description: Annotations are used
                                                    for image verification. Every
                                                    specified key-value pair must
                                                    exist and match in the verified
                                                    payload. The payload may contain
                                                    other key-value pairs.
                                                  type: object
                                                attestor:
                                                  description: Attestor is a nested
                                                    AttestorSet used to specify a
                                                    more complex set of match authorities
                                                  x-kubernetes-preserve-unknown-fields: true
                                                certificates:
                                                  description: Certificates specifies
                                                    one or more certificates
                                                  properties:
                                                    cert:
                                                      description: Certificate is
                                                        an optional PEM encoded public
                                                        certificate.
                                                      type: string
                                                    certChain:
                                                      description: CertificateChain
                                                        is an optional PEM encoded
                                                        set of certificates used to
                                                        verify
                                                      type: string
                                                    rekor:
                                                      description: Rekor provides
                                                        configuration for the Rekor
                                                        transparency log service.
                                                        If the value is nil, Rekor
                                                        is not checked. If an empty
                                                        object is provided the public
                                                        instance of Rekor (https://rekor.sigstore.dev)
                                                        is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: IgnoreSCT requires
                                                            that a certificate contain
                                                            an embedded SCT during
                                                            verification. An SCT is
                                                            proof of inclusion in
                                                            a certificate transparency
                                                            log.
                                                          type: boolean
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skip tlog verification
                                                          type: boolean
                                                        pubkey:
                                                          description: RekorPubKey
                                                            is an optional PEM encoded
                                                            public key to use for
                                                            a custom Rekor. If set,
                                                            is used to validate signatures
                                                            on log entries from Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            log https://rekor.sigstore.dev.
                                                          type: string
                                                      required:
                                                      - url
                                                      type: object
                                                  type: object
                                                keyless:
                                                  description: Keyless is a set of
                                                    attribute used to verify a Sigstore
                                                    keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                                  properties:
                                                    additionalExtensions:
                                                      additionalProperties:
                                                        type: string
                                                      description: AdditionalExtensions
                                                        are certificate-extensions
                                                        used for keyless signing.
                                                      type: object
                                                    issuer:
                                                      description: Issuer is the certificate
                                                        issuer used for keyless signing.
                                                      type: string
                                                    rekor:
                                                      description: Rekor provides
                                                        configuration for the Rekor
                                                        transparency log service.
                                                        If the value is nil, Rekor
                                                        is not checked and a root
                                                        certificate chain is expected
                                                        instead. If an empty object
                                                        is provided the public instance
                                                        of Rekor (https://rekor.sigstore.dev)
                                                        is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: IgnoreSCT requires
                                                            that a certificate contain
                                                            an embedded SCT during
                                                            verification. An SCT is
                                                            proof of inclusion in
                                                            a certificate transparency
                                                            log.
                                                          type: boolean
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skip tlog verification
                                                          type: boolean
                                                        pubkey:
                                                          description: RekorPubKey
                                                            is an optional PEM encoded
                                                            public key to use for
                                                            a custom Rekor. If set,
                                                            is used to validate signatures
                                                            on log entries from Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            log https://rekor.sigstore.dev.
                                                          type: string
                                                      required:
                                                      - url
                                                      type: object
                                                    roots:
                                                      description: Roots is an optional
                                                        set of PEM encoded trusted
                                                        root certificates. If not
                                                        provided, the system roots
                                                        are used.
                                                      type: string
                                                    subject:
                                                      description: Subject is the
                                                        verified identity used for
                                                        keyless signing, for example
                                                        the email address
                                                      type: string
                                                  type: object
                                                keys:
                                                  description: Keys specifies one
                                                    or more public keys
                                                  properties:
                                                    kms:
                                                      description: 'KMS provides the
                                                        URI to the public key stored
                                                        in a Key Management System.
                                                        See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                                      type: string
                                                    publicKeys:
                                                      description: Keys is a set of
                                                        X.509 public keys used to
                                                        verify image signatures. The
                                                        keys can be directly specified
                                                        or can be a variable reference
                                                        to a key specified in a ConfigMap
                                                        (see https://kyverno.io/docs/writing-policies/variables/),
                                                        or reference a standard Kubernetes
                                                        Secret elsewhere in the cluster
                                                        by specifying it in the format
                                                        "k8s://<namespace>/<secret_name>".
                                                        The named Secret must specify
                                                        a key `cosign.pub` containing
                                                        the public key used for verification,
                                                        (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                        When multiple keys are specified
                                                        each key is processed as a
                                                        separate staticKey entry (.attestors[*].entries.keys)
                                                        within the set of attestors
                                                        and the count is applied across
                                                        the keys.
                                                      type: string
                                                    rekor:
                                                      description: Rekor provides
                                                        configuration for the Rekor
                                                        transparency log service.
                                                        If the value is nil, or an
                                                        empty object is provided,
                                                        the public instance of Rekor
                                                        (https://rekor.sigstore.dev)
                                                        is used.
                                                      properties:
                                                        ignoreSCT:
                                                          description: IgnoreSCT requires
                                                            that a certificate contain
                                                            an embedded SCT during
                                                            verification. An SCT is
                                                            proof of inclusion in
                                                            a certificate transparency
                                                            log.
                                                          type: boolean
                                                        ignoreTlog:
                                                          description: IgnoreTlog
                                                            skip tlog verification
                                                          type: boolean
                                                        pubkey:
                                                          description: RekorPubKey
                                                            is an optional PEM encoded
                                                            public key to use for
                                                            a custom Rekor. If set,
                                                            is used to validate signatures
                                                            on log entries from Rekor.
                                                          type: string
                                                        url:
                                                          description: URL is the
                                                            address of the transparency
                                                            log. Defaults to the public
                                                            log https://rekor.sigstore.dev.
                                                          type: string
                                                      required:
                                                      - url
                                                      type: object
                                                    secret:
                                                      description: Reference to a
                                                        Secret resource that contains
                                                        a public key
                                                      properties:
                                                        name:
                                                          description: Name of the
                                                            secret. The provided secret
                                                            must contain a key named
                                                            cosign.pub.
                                                          type: string
                                                        namespace:
                                                          description: Namespace name
                                                            where the Secret exists.
                                                          type: string
                                                      required:
                                                      - name
                                                      - namespace
                                                      type: object
                                                    signatureAlgorithm:
                                                      default: sha256
                                                      description: Specify signature
                                                        algorithm for public keys.
                                                        Supported values are sha256
                                                        and sha512
                                                      type: string
                                                  type: object
                                                repository:
                                                  description: Repository is an optional
                                                    alternate OCI repository to use
                                                    for signatures and attestations
                                                    that match this rule. If specified
                                                    Repository will override other
                                                    OCI image repository locations
                                                    for this Attestor.
                                                  type: string
                                              type: object
                                            type: array
                                        type: object
                                      type: array
                                    conditions:
                                      description: Conditions are used to verify attributes
                                        within a Predicate. If no Conditions are specified
                                        the attestation check is satisfied as long
                                        there are predicates that match the predicate
                                        type.
                                      items:
                                        description: AnyAllConditions consists of
                                          conditions wrapped denoting a logical criteria
                                          to be fulfilled. AnyConditions get fulfilled
                                          when at least one of its sub-conditions
                                          passes. AllConditions get fulfilled only
                                          when all of its sub-conditions pass.
                                        properties:
                                          all:
                                            description: AllConditions enable variable-based
                                              conditional rule execution. This is
                                              useful for finer control of when an
                                              rule is applied. A condition can reference
                                              object data using JMESPath notation.
                                              Here, all of the conditions need to
                                              pass
                                            items:
                                              description: Condition defines variable-based
                                                conditional criteria for rule execution.
                                              properties:
                                                key:
                                                  description: Key is the context
                                                    entry (using JMESPath) for conditional
                                                    rule evaluation.
                                                  x-kubernetes-preserve-unknown-fields: true
                                                message:
                                                  description: Message is an optional
                                                    display message
                                                  type: string
                                                operator:
                                                  description: 'Operator is the conditional
                                                    operation to perform. Valid operators
                                                    are: Equals, NotEquals, In, AnyIn,
                                                    AllIn, NotIn, AnyNotIn, AllNotIn,
                                                    GreaterThanOrEquals, GreaterThan,
                                                    LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                    DurationGreaterThan, DurationLessThanOrEquals,
                                                    DurationLessThan'
                                                  enum:
                                                  - Equals
                                                  - NotEquals
                                                  - In
                                                  - AnyIn
                                                  - AllIn
                                                  - NotIn
                                                  - AnyNotIn
                                                  - AllNotIn
                                                  - GreaterThanOrEquals
                                                  - GreaterThan
                                                  - LessThanOrEquals
                                                  - LessThan
                                                  - DurationGreaterThanOrEquals
                                                  - DurationGreaterThan
                                                  - DurationLessThanOrEquals
                                                  - DurationLessThan
                                                  type: string
                                                value:
                                                  description: Value is the conditional
                                                    value, or set of values. The values
                                                    can be fixed set or can be variables
                                                    declared using JMESPath.
                                                  x-kubernetes-preserve-unknown-fields: true
                                              type: object
                                            type: array
                                          any:
                                            description: AnyConditions enable variable-based
                                              conditional rule execution. This is
                                              useful for finer control of when an
                                              rule is applied. A condition can reference
                                              object data using JMESPath notation.
                                              Here, at least one of the conditions
                                              need to pass
                                            items:
                                              description: Condition defines variable-based
                                                conditional criteria for rule execution.
                                              properties:
                                                key:
                                                  description: Key is the context
                                                    entry (using JMESPath) for conditional
                                                    rule evaluation.
                                                  x-kubernetes-preserve-unknown-fields: true
                                                message:
                                                  description: Message is an optional
                                                    display message
                                                  type: string
                                                operator:
                                                  description: 'Operator is the conditional
                                                    operation to perform. Valid operators
                                                    are: Equals, NotEquals, In, AnyIn,
                                                    AllIn, NotIn, AnyNotIn, AllNotIn,
                                                    GreaterThanOrEquals, GreaterThan,
                                                    LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
                                                    DurationGreaterThan, DurationLessThanOrEquals,
                                                    DurationLessThan'
                                                  enum:
                                                  - Equals
                                                  - NotEquals
                                                  - In
                                                  - AnyIn
                                                  - AllIn
                                                  - NotIn
                                                  - AnyNotIn
                                                  - AllNotIn
                                                  - GreaterThanOrEquals
                                                  - GreaterThan
                                                  - LessThanOrEquals
                                                  - LessThan
                                                  - DurationGreaterThanOrEquals
                                                  - DurationGreaterThan
                                                  - DurationLessThanOrEquals
                                                  - DurationLessThan
                                                  type: string
                                                value:
                                                  description: Value is the conditional
                                                    value, or set of values. The values
                                                    can be fixed set or can be variables
                                                    declared using JMESPath.
                                                  x-kubernetes-preserve-unknown-fields: true
                                              type: object
                                            type: array
                                        type: object
                                      type: array
                                    predicateType:
                                      description: PredicateType defines the type
                                        of Predicate contained within the Statement.
                                        Deprecated in favour of 'Type', to be removed
                                        soon
                                      type: string
                                    type:
                                      description: Type defines the type of attestation
                                        contained within the Statement.
                                      type: string
                                  type: object
                                type: array
                              attestors:
                                description: Attestors specified the required attestors
                                  (i.e. authorities)
                                items:
                                  properties:
                                    count:
                                      description: Count specifies the required number
                                        of entries that must match. If the count is
                                        null, all entries must match (a logical AND).
                                        If the count is 1, at least one entry must
                                        match (a logical OR). If the count contains
                                        a value N, then N must be less than or equal
                                        to the size of entries, and at least N entries
                                        must match.
                                      minimum: 1
                                      type: integer
                                    entries:
                                      description: Entries contains the available
                                        attestors. An attestor can be a static key,
                                        attributes for keyless verification, or a
                                        nested attestor declaration.
                                      items:
                                        properties:
                                          annotations:
                                            additionalProperties:
                                              type: string
                                            description: Annotations are used for
                                              image verification. Every specified
                                              key-value pair must exist and match
                                              in the verified payload. The payload
                                              may contain other key-value pairs.
                                            type: object
                                          attestor:
                                            description: Attestor is a nested AttestorSet
                                              used to specify a more complex set of
                                              match authorities
                                            x-kubernetes-preserve-unknown-fields: true
                                          certificates:
                                            description: Certificates specifies one
                                              or more certificates
                                            properties:
                                              cert:
                                                description: Certificate is an optional
                                                  PEM encoded public certificate.
                                                type: string
                                              certChain:
                                                description: CertificateChain is an
                                                  optional PEM encoded set of certificates
                                                  used to verify
                                                type: string
                                              rekor:
                                                description: Rekor provides configuration
                                                  for the Rekor transparency log service.
                                                  If the value is nil, Rekor is not
                                                  checked. If an empty object is provided
                                                  the public instance of Rekor (https://rekor.sigstore.dev)
                                                  is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: IgnoreSCT requires
                                                      that a certificate contain an
                                                      embedded SCT during verification.
                                                      An SCT is proof of inclusion
                                                      in a certificate transparency
                                                      log.
                                                    type: boolean
                                                  ignoreTlog:
                                                    description: IgnoreTlog skip tlog
                                                      verification
                                                    type: boolean
                                                  pubkey:
                                                    description: RekorPubKey is an
                                                      optional PEM encoded public
                                                      key to use for a custom Rekor.
                                                      If set, is used to validate
                                                      signatures on log entries from
                                                      Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public log https://rekor.sigstore.dev.
                                                    type: string
                                                required:
                                                - url
                                                type: object
                                            type: object
                                          keyless:
                                            description: Keyless is a set of attribute
                                              used to verify a Sigstore keyless attestor.
                                              See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
                                            properties:
                                              additionalExtensions:
                                                additionalProperties:
                                                  type: string
                                                description: AdditionalExtensions
                                                  are certificate-extensions used
                                                  for keyless signing.
                                                type: object
                                              issuer:
                                                description: Issuer is the certificate
                                                  issuer used for keyless signing.
                                                type: string
                                              rekor:
                                                description: Rekor provides configuration
                                                  for the Rekor transparency log service.
                                                  If the value is nil, Rekor is not
                                                  checked and a root certificate chain
                                                  is expected instead. If an empty
                                                  object is provided the public instance
                                                  of Rekor (https://rekor.sigstore.dev)
                                                  is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: IgnoreSCT requires
                                                      that a certificate contain an
                                                      embedded SCT during verification.
                                                      An SCT is proof of inclusion
                                                      in a certificate transparency
                                                      log.
                                                    type: boolean
                                                  ignoreTlog:
                                                    description: IgnoreTlog skip tlog
                                                      verification
                                                    type: boolean
                                                  pubkey:
                                                    description: RekorPubKey is an
                                                      optional PEM encoded public
                                                      key to use for a custom Rekor.
                                                      If set, is used to validate
                                                      signatures on log entries from
                                                      Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public log https://rekor.sigstore.dev.
                                                    type: string
                                                required:
                                                - url
                                                type: object
                                              roots:
                                                description: Roots is an optional
                                                  set of PEM encoded trusted root
                                                  certificates. If not provided, the
                                                  system roots are used.
                                                type: string
                                              subject:
                                                description: Subject is the verified
                                                  identity used for keyless signing,
                                                  for example the email address
                                                type: string
                                            type: object
                                          keys:
                                            description: Keys specifies one or more
                                              public keys
                                            properties:
                                              kms:
                                                description: 'KMS provides the URI
                                                  to the public key stored in a Key
                                                  Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
                                                type: string
                                              publicKeys:
                                                description: Keys is a set of X.509
                                                  public keys used to verify image
                                                  signatures. The keys can be directly
                                                  specified or can be a variable reference
                                                  to a key specified in a ConfigMap
                                                  (see https://kyverno.io/docs/writing-policies/variables/),
                                                  or reference a standard Kubernetes
                                                  Secret elsewhere in the cluster
                                                  by specifying it in the format "k8s://<namespace>/<secret_name>".
                                                  The named Secret must specify a
                                                  key `cosign.pub` containing the
                                                  public key used for verification,
                                                  (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
                                                  When multiple keys are specified
                                                  each key is processed as a separate
                                                  staticKey entry (.attestors[*].entries.keys)
                                                  within the set of attestors and
                                                  the count is applied across the
                                                  keys.
                                                type: string
                                              rekor:
                                                description: Rekor provides configuration
                                                  for the Rekor transparency log service.
                                                  If the value is nil, or an empty
                                                  object is provided, the public instance
                                                  of Rekor (https://rekor.sigstore.dev)
                                                  is used.
                                                properties:
                                                  ignoreSCT:
                                                    description: IgnoreSCT requires
                                                      that a certificate contain an
                                                      embedded SCT during verification.
                                                      An SCT is proof of inclusion
                                                      in a certificate transparency
                                                      log.
                                                    type: boolean
                                                  ignoreTlog:
                                                    description: IgnoreTlog skip tlog
                                                      verification
                                                    type: boolean
                                                  pubkey:
                                                    description: RekorPubKey is an
                                                      optional PEM encoded public
                                                      key to use for a custom Rekor.
                                                      If set, is used to validate
                                                      signatures on log entries from
                                                      Rekor.
                                                    type: string
                                                  url:
                                                    description: URL is the address
                                                      of the transparency log. Defaults
                                                      to the public log https://rekor.sigstore.dev.
                                                    type: string
                                                required:
                                                - url
                                                type: object
                                              secret:
                                                description: Reference to a Secret
                                                  resource that contains a public
                                                  key
                                                properties:
                                                  name:
                                                    description: Name of the secret.
                                                      The provided secret must contain
                                                      a key named cosign.pub.
                                                    type: string
                                                  namespace:
                                                    description: Namespace name where
                                                      the Secret exists.
                                                    type: string
                                                required:
                                                - name
                                                - namespace
                                                type: object
                                              signatureAlgorithm:
                                                default: sha256
                                                description: Specify signature algorithm
                                                  for public keys. Supported values
                                                  are sha256 and sha512
                                                type: string
                                            type: object
                                          repository:
                                            description: Repository is an optional
                                              alternate OCI repository to use for
                                              signatures and attestations that match
                                              this rule. If specified Repository will
                                              override other OCI image repository
                                              locations for this Attestor.
                                            type: string
                                        type: object
                                      type: array
                                  type: object
                                type: array
                              image:
                                description: 'Image is the image name consisting of
                                  the registry address, repository, image, and tag.
                                  Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
                                  Deprecated. Use ImageReferences instead.'
                                type: string
                              imageReferences:
                                description: 'ImageReferences is a list of matching
                                  image reference patterns. At least one pattern in
                                  the list must match the image for the rule to apply.
                                  Each image reference consists of a registry address
                                  (defaults to docker.io), repository, image, and
                                  tag (defaults to latest). Wildcards (''*'' and ''?'')
                                  are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
                                items:
                                  type: string
                                type: array
                              imageRegistryCredentials:
                                description: ImageRegistryCredentials provides credentials
                                  that will be used for authentication with registry
                                properties:
                                  allowInsecureRegistry:
                                    description: AllowInsecureRegistry allows insecure
                                      access to a registry
                                    type: boolean
                                  providers:
                                    description: 'Providers specifies a list of OCI
                                      Registry names, whose authentication providers
                                      are provided It can be of one of these values:
                                      AWS, ACR, GCP, GHCR'
                                    items:
                                      description: ImageRegistryCredentialsProvidersType
                                        provides the list of credential providers
                                        required.
                                      enum:
                                      - default
                                      - amazon
                                      - azure
                                      - google
                                      - github
                                      type: string
                                    type: array
                                  secrets:
                                    description: Secrets specifies a list of secrets
                                      that are provided for credentials Secrets must
                                      live in the Kyverno namespace
                                    items:
                                      type: string
                                    type: array
                                type: object
                              issuer:
                                description: Issuer is the certificate issuer used
                                  for keyless signing. Deprecated. Use KeylessAttestor
                                  instead.
                                type: string
                              key:
                                description: Key is the PEM encoded public key that
                                  the image or attestation is signed with. Deprecated.
                                  Use StaticKeyAttestor instead.
                                type: string
                              mutateDigest:
                                default: true
                                description: MutateDigest enables replacement of image
                                  tags with digests. Defaults to true.
                                type: boolean
                              repository:
                                description: Repository is an optional alternate OCI
                                  repository to use for image signatures and attestations
                                  that match this rule. If specified Repository will
                                  override the default OCI image repository configured
                                  for the installation. The repository can also be
                                  overridden per Attestor or Attestation.
                                type: string
                              required:
                                default: true
                                description: Required validates that images are verified
                                  i.e. have matched passed a signature or attestation
                                  check.
                                type: boolean
                              roots:
                                description: Roots is the PEM encoded Root certificate
                                  chain used for keyless signing Deprecated. Use KeylessAttestor
                                  instead.
                                type: string
                              subject:
                                description: Subject is the identity used for keyless
                                  signing, for example an email address Deprecated.
                                  Use KeylessAttestor instead.
                                type: string
                              type:
                                description: Type specifies the method of signature
                                  validation. The allowed options are Cosign and Notary.
                                  By default Cosign is used if a type is not specified.
                                enum:
                                - Cosign
                                - Notary
                                type: string
                              useCache:
                                default: true
                                description: UseCache enables caching of image verify
                                  responses for this rule
                                type: boolean
                              verifyDigest:
                                default: true
                                description: VerifyDigest validates that images have
                                  a digest.
                                type: boolean
                            type: object
                          type: array
                      required:
                      - name
                      type: object
                    type: array
                type: object
              conditions:
                description: Conditions is a list of conditions that apply to the
                  policy
                items:
                  description: "Condition contains details for one aspect of the current
                    state of this API Resource. --- This struct is intended for direct
                    use as an array at the field path .status.conditions.  For example,
                    \n type FooStatus struct{ // Represents the observations of a
                    foo's current state. // Known .status.conditions.type are: \"Available\",
                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
                  properties:
                    lastTransitionTime:
                      description: lastTransitionTime is the last time the condition
                        transitioned from one status to another. This should be when
                        the underlying condition changed.  If that is not known, then
                        using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: message is a human readable message indicating
                        details about the transition. This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
                      description: observedGeneration represents the .metadata.generation
                        that the condition was set based upon. For instance, if .metadata.generation
                        is currently 12, but the .status.conditions[x].observedGeneration
                        is 9, the condition is out of date with respect to the current
                        state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
                      description: reason contains a programmatic identifier indicating
                        the reason for the condition's last transition. Producers
                        of specific condition types may define expected values and
                        meanings for this field, and whether the values are considered
                        a guaranteed API. The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
                      enum:
                      - "True"
                      - "False"
                      - Unknown
                      type: string
                    type:
                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
                        --- Many .condition.type values are consistent across resources
                        like Available, but because arbitrary conditions can be useful
                        (see .node.status.conditions), the ability to deconflict is
                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
                  required:
                  - lastTransitionTime
                  - message
                  - reason
                  - status
                  - type
                  type: object
                type: array
              ready:
                description: Ready indicates if the policy is ready to serve the admission
                  request. Deprecated in favor of Conditions
                type: boolean
              rulecount:
                description: RuleCount describes total number of rules in a policy
                properties:
                  generate:
                    description: Count for generate rules in policy
                    type: integer
                  mutate:
                    description: Count for mutate rules in policy
                    type: integer
                  validate:
                    description: Count for validate rules in policy
                    type: integer
                  verifyimages:
                    description: Count for verify image rules in policy
                    type: integer
                required:
                - generate
                - mutate
                - validate
                - verifyimages
                type: object
            required:
            - ready
            type: object
        required:
        - spec
        type: object
    served: true
    storage: false
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  annotations:
    controller-gen.kubebuilder.io/version: v0.12.0
  name: policyexceptions.kyverno.io
spec:
  group: kyverno.io
  names:
    categories:
    - kyverno
    kind: PolicyException
    listKind: PolicyExceptionList
    plural: policyexceptions
    shortNames:
    - polex
    singular: policyexception
  scope: Namespaced
  versions:
  - name: v2alpha1
    schema:
      openAPIV3Schema:
        description: PolicyException declares resources to be excluded from specified
          policies.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: Spec declares policy exception behaviors.
            properties:
              background:
                description: Background controls if exceptions are applied to existing
                  policies during a background scan. Optional. Default value is "true".
                  The value must be set to "false" if the policy rule uses variables
                  that are only available in the admission review request (e.g. user
                  name).
                type: boolean
              exceptions:
                description: Exceptions is a list policy/rules to be excluded
                items:
                  description: Exception stores infos about a policy and rules
                  properties:
                    policyName:
                      description: PolicyName identifies the policy to which the exception
                        is applied. The policy name uses the format <namespace>/<name>
                        unless it references a ClusterPolicy.
                      type: string
                    ruleNames:
                      description: RuleNames identifies the rules to which the exception
                        is applied.
                      items:
                        type: string
                      type: array
                  required:
                  - policyName
                  - ruleNames
                  type: object
                type: array
              match:
                description: Match defines match clause used to check if a resource
                  applies to the exception
                properties:
                  all:
                    description: All allows specifying resources which will be ANDed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: Annotations is a  map of annotations (key-value
                                pairs of type string). Annotation keys and values
                                support the wildcard characters "*" (matches zero
                                or many characters) and "?" (matches at least one
                                character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: 'Name is the name of the resource. The
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".'
                              type: string
                            names:
                              description: Names are the names of the resources. Each
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: 'NamespaceSelector is a label selector
                                for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*`
                                (matches zero or many characters) and `?` (matches
                                one character).Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: Namespaces is a list of namespaces names.
                                Each name supports wildcard characters "*" (matches
                                zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: 'Selector is a label selector. Label keys
                                and values in `matchLabels` support the wildcard characters
                                `*` (matches zero or many characters) and `?` (matches
                                one character). Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: Subject contains a reference to the object
                              or user identities a role binding applies to.  This
                              can either hold a direct API object reference, or a
                              value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: APIGroup holds the API group of the referenced
                                  subject. Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User
                                  and Group subjects.
                                type: string
                              kind:
                                description: Kind of object being referenced. Values
                                  defined by this API group are "User", "Group", and
                                  "ServiceAccount". If the Authorizer does not recognized
                                  the kind value, the Authorizer should report an
                                  error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: Namespace of the referenced object.  If
                                  the object kind is non-namespace, such as "User"
                                  or "Group", and this value is not empty the Authorizer
                                  should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                  any:
                    description: Any allows specifying resources which will be ORed
                    items:
                      description: ResourceFilter allow users to "AND" or "OR" between
                        resources
                      properties:
                        clusterRoles:
                          description: ClusterRoles is the list of cluster-wide role
                            names for the user.
                          items:
                            type: string
                          type: array
                        resources:
                          description: ResourceDescription contains information about
                            the resource being created or modified.
                          properties:
                            annotations:
                              additionalProperties:
                                type: string
                              description: Annotations is a  map of annotations (key-value
                                pairs of type string). Annotation keys and values
                                support the wildcard characters "*" (matches zero
                                or many characters) and "?" (matches at least one
                                character).
                              type: object
                            kinds:
                              description: Kinds is a list of resource kinds.
                              items:
                                type: string
                              type: array
                            name:
                              description: 'Name is the name of the resource. The
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                                NOTE: "Name" is being deprecated in favor of "Names".'
                              type: string
                            names:
                              description: Names are the names of the resources. Each
                                name supports wildcard characters "*" (matches zero
                                or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            namespaceSelector:
                              description: 'NamespaceSelector is a label selector
                                for the resource namespace. Label keys and values
                                in `matchLabels` support the wildcard characters `*`
                                (matches zero or many characters) and `?` (matches
                                one character).Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                            namespaces:
                              description: Namespaces is a list of namespaces names.
                                Each name supports wildcard characters "*" (matches
                                zero or many characters) and "?" (at least one character).
                              items:
                                type: string
                              type: array
                            operations:
                              description: Operations can contain values ["CREATE,
                                "UPDATE", "CONNECT", "DELETE"], which are used to
                                match a specific action.
                              items:
                                description: AdmissionOperation can have one of the
                                  values CREATE, UPDATE, CONNECT, DELETE, which are
                                  used to match a specific action.
                                enum:
                                - CREATE
                                - CONNECT
                                - UPDATE
                                - DELETE
                                type: string
                              type: array
                            selector:
                              description: 'Selector is a label selector. Label keys
                                and values in `matchLabels` support the wildcard characters
                                `*` (matches zero or many characters) and `?` (matches
                                one character). Wildcards allows writing label selectors
                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
                                : "*"] matches any key and value but does not match
                                an empty label set.'
                              properties:
                                matchExpressions:
                                  description: matchExpressions is a list of label
                                    selector requirements. The requirements are ANDed.
                                  items:
                                    description: A label selector requirement is a
                                      selector that contains values, a key, and an
                                      operator that relates the key and values.
                                    properties:
                                      key:
                                        description: key is the label key that the
                                          selector applies to.
                                        type: string
                                      operator:
                                        description: operator represents a key's relationship
                                          to a set of values. Valid operators are
                                          In, NotIn, Exists and DoesNotExist.
                                        type: string
                                      values:
                                        description: values is an array of string
                                          values. If the operator is In or NotIn,
                                          the values array must be non-empty. If the
                                          operator is Exists or DoesNotExist, the
                                          values array must be empty. This array is
                                          replaced during a strategic merge patch.
                                        items:
                                          type: string
                                        type: array
                                    required:
                                    - key
                                    - operator
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                  description: matchLabels is a map of {key,value}
                                    pairs. A single {key,value} in the matchLabels
                                    map is equivalent to an element of matchExpressions,
                                    whose key field is "key", the operator is "In",
                                    and the values array contains only "value". The
                                    requirements are ANDed.
                                  type: object
                              type: object
                              x-kubernetes-map-type: atomic
                          type: object
                        roles:
                          description: Roles is the list of namespaced role names
                            for the user.
                          items:
                            type: string
                          type: array
                        subjects:
                          description: Subjects is the list of subject names like
                            users, user groups, and service accounts.
                          items:
                            description: Subject contains a reference to the object
                              or user identities a role binding applies to.  This
                              can either hold a direct API object reference, or a
                              value for non-objects such as user and group names.
                            properties:
                              apiGroup:
                                description: APIGroup holds the API group of the referenced
                                  subject. Defaults to "" for ServiceAccount subjects.
                                  Defaults to "rbac.authorization.k8s.io" for User
                                  and Group subjects.
                                type: string
                              kind:
                                description: Kind of object being referenced. Values
                                  defined by this API group are "User", "Group", and
                                  "ServiceAccount". If the Authorizer does not recognized
                                  the kind value, the Authorizer should report an
                                  error.
                                type: string
                              name:
                                description: Name of the object being referenced.
                                type: string
                              namespace:
                                description: Namespace of the referenced object.  If
                                  the object kind is non-namespace, such as "User"
                                  or "Group", and this value is not empty the Authorizer
                                  should report an error.
                                type: string
                            required:
                            - kind
                            - name
                            type: object
                            x-kubernetes-map-type: atomic
                          type: array
                      type: object
                    type: array
                type: object
            required:
            - exceptions
            - match
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  annotations:
    controller-gen.kubebuilder.io/version: v0.12.0
  name: updaterequests.kyverno.io
spec:
  group: kyverno.io
  names:
    categories:
    - kyverno
    kind: UpdateRequest
    listKind: UpdateRequestList
    plural: updaterequests
    shortNames:
    - ur
    singular: updaterequest
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - jsonPath: .spec.policy
      name: Policy
      type: string
    - jsonPath: .spec.requestType
      name: RuleType
      type: string
    - jsonPath: .spec.resource.kind
      name: ResourceKind
      type: string
    - jsonPath: .spec.resource.name
      name: ResourceName
      type: string
    - jsonPath: .spec.resource.namespace
      name: ResourceNamespace
      type: string
    - jsonPath: .status.state
      name: status
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v1beta1
    schema:
      openAPIV3Schema:
        description: UpdateRequest is a request to process mutate and generate rules
          in background.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: ResourceSpec is the information to identify the trigger resource.
            properties:
              context:
                description: Context ...
                properties:
                  admissionRequestInfo:
                    description: AdmissionRequestInfoObject stores the admission request
                      and operation details
                    properties:
                      admissionRequest:
                        description: AdmissionRequest describes the admission.Attributes
                          for the admission request.
                        properties:
                          dryRun:
                            description: DryRun indicates that modifications will
                              definitely not be persisted for this request. Defaults
                              to false.
                            type: boolean
                          kind:
                            description: Kind is the fully-qualified type of object
                              being submitted (for example, v1.Pod or autoscaling.v1.Scale)
                            properties:
                              group:
                                type: string
                              kind:
                                type: string
                              version:
                                type: string
                            required:
                            - group
                            - kind
                            - version
                            type: object
                          name:
                            description: Name is the name of the object as presented
                              in the request.  On a CREATE operation, the client may
                              omit name and rely on the server to generate the name.  If
                              that is the case, this field will contain an empty string.
                            type: string
                          namespace:
                            description: Namespace is the namespace associated with
                              the request (if any).
                            type: string
                          object:
                            description: Object is the object from the incoming request.
                            type: object
                            x-kubernetes-preserve-unknown-fields: true
                          oldObject:
                            description: OldObject is the existing object. Only populated
                              for DELETE and UPDATE requests.
                            type: object
                            x-kubernetes-preserve-unknown-fields: true
                          operation:
                            description: Operation is the operation being performed.
                              This may be different than the operation requested.
                              e.g. a patch can result in either a CREATE or UPDATE
                              Operation.
                            type: string
                          options:
                            description: Options is the operation option structure
                              of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions`
                              or `meta.k8s.io/v1.CreateOptions`. This may be different
                              than the options the caller provided. e.g. for a patch
                              request the performed Operation might be a CREATE, in
                              which case the Options will a `meta.k8s.io/v1.CreateOptions`
                              even though the caller provided `meta.k8s.io/v1.PatchOptions`.
                            type: object
                            x-kubernetes-preserve-unknown-fields: true
                          requestKind:
                            description: "RequestKind is the fully-qualified type
                              of the original API request (for example, v1.Pod or
                              autoscaling.v1.Scale). If this is specified and differs
                              from the value in \"kind\", an equivalent match and
                              conversion was performed. \n For example, if deployments
                              can be modified via apps/v1 and apps/v1beta1, and a
                              webhook registered a rule of `apiGroups:[\"apps\"],
                              apiVersions:[\"v1\"], resources: [\"deployments\"]`
                              and `matchPolicy: Equivalent`, an API request to apps/v1beta1
                              deployments would be converted and sent to the webhook
                              with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}`
                              (matching the rule the webhook registered for), and
                              `requestKind: {group:\"apps\", version:\"v1beta1\",
                              kind:\"Deployment\"}` (indicating the kind of the original
                              API request). \n See documentation for the \"matchPolicy\"
                              field in the webhook configuration type for more details."
                            properties:
                              group:
                                type: string
                              kind:
                                type: string
                              version:
                                type: string
                            required:
                            - group
                            - kind
                            - version
                            type: object
                          requestResource:
                            description: "RequestResource is the fully-qualified resource
                              of the original API request (for example, v1.pods).
                              If this is specified and differs from the value in \"resource\",
                              an equivalent match and conversion was performed. \n
                              For example, if deployments can be modified via apps/v1
                              and apps/v1beta1, and a webhook registered a rule of
                              `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources:
                              [\"deployments\"]` and `matchPolicy: Equivalent`, an
                              API request to apps/v1beta1 deployments would be converted
                              and sent to the webhook with `resource: {group:\"apps\",
                              version:\"v1\", resource:\"deployments\"}` (matching
                              the resource the webhook registered for), and `requestResource:
                              {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}`
                              (indicating the resource of the original API request).
                              \n See documentation for the \"matchPolicy\" field in
                              the webhook configuration type."
                            properties:
                              group:
                                type: string
                              resource:
                                type: string
                              version:
                                type: string
                            required:
                            - group
                            - resource
                            - version
                            type: object
                          requestSubResource:
                            description: RequestSubResource is the name of the subresource
                              of the original API request, if any (for example, "status"
                              or "scale") If this is specified and differs from the
                              value in "subResource", an equivalent match and conversion
                              was performed. See documentation for the "matchPolicy"
                              field in the webhook configuration type.
                            type: string
                          resource:
                            description: Resource is the fully-qualified resource
                              being requested (for example, v1.pods)
                            properties:
                              group:
                                type: string
                              resource:
                                type: string
                              version:
                                type: string
                            required:
                            - group
                            - resource
                            - version
                            type: object
                          subResource:
                            description: SubResource is the subresource being requested,
                              if any (for example, "status" or "scale")
                            type: string
                          uid:
                            description: UID is an identifier for the individual request/response.
                              It allows us to distinguish instances of requests which
                              are otherwise identical (parallel requests, requests
                              when earlier requests did not modify etc) The UID is
                              meant to track the round trip (request/response) between
                              the KAS and the WebHook, not the user request. It is
                              suitable for correlating log entries between the webhook
                              and apiserver, for either auditing or debugging.
                            type: string
                          userInfo:
                            description: UserInfo is information about the requesting
                              user
                            properties:
                              extra:
                                additionalProperties:
                                  description: ExtraValue masks the value so protobuf
                                    can generate
                                  items:
                                    type: string
                                  type: array
                                description: Any additional information provided by
                                  the authenticator.
                                type: object
                              groups:
                                description: The names of groups this user is a part
                                  of.
                                items:
                                  type: string
                                type: array
                              uid:
                                description: A unique value that identifies this user
                                  across time. If this user is deleted and another
                                  user by the same name is added, they will have different
                                  UIDs.
                                type: string
                              username:
                                description: The name that uniquely identifies this
                                  user among all active users.
                                type: string
                            type: object
                        required:
                        - kind
                        - operation
                        - resource
                        - uid
                        - userInfo
                        type: object
                      operation:
                        description: Operation is the type of resource operation being
                          checked for admission control
                        type: string
                    type: object
                  userInfo:
                    description: RequestInfo contains permission info carried in an
                      admission request.
                    properties:
                      clusterRoles:
                        description: ClusterRoles is a list of possible clusterRoles
                          send the request.
                        items:
                          type: string
                        nullable: true
                        type: array
                      roles:
                        description: Roles is a list of possible role send the request.
                        items:
                          type: string
                        nullable: true
                        type: array
                      userInfo:
                        description: UserInfo is the userInfo carried in the admission
                          request.
                        properties:
                          extra:
                            additionalProperties:
                              description: ExtraValue masks the value so protobuf
                                can generate
                              items:
                                type: string
                              type: array
                            description: Any additional information provided by the
                              authenticator.
                            type: object
                          groups:
                            description: The names of groups this user is a part of.
                            items:
                              type: string
                            type: array
                          uid:
                            description: A unique value that identifies this user
                              across time. If this user is deleted and another user
                              by the same name is added, they will have different
                              UIDs.
                            type: string
                          username:
                            description: The name that uniquely identifies this user
                              among all active users.
                            type: string
                        type: object
                    type: object
                type: object
              deleteDownstream:
                description: DeleteDownstream represents whether the downstream needs
                  to be deleted.
                type: boolean
              policy:
                description: Specifies the name of the policy.
                type: string
              requestType:
                description: Type represents request type for background processing
                enum:
                - mutate
                - generate
                type: string
              resource:
                description: ResourceSpec is the information to identify the trigger
                  resource.
                properties:
                  apiVersion:
                    description: APIVersion specifies resource apiVersion.
                    type: string
                  kind:
                    description: Kind specifies resource kind.
                    type: string
                  name:
                    description: Name specifies the resource name.
                    type: string
                  namespace:
                    description: Namespace specifies resource namespace.
                    type: string
                type: object
              rule:
                description: Rule is the associate rule name of the current UR.
                type: string
              synchronize:
                description: Synchronize represents the sync behavior of the corresponding
                  rule Optional. Defaults to "false" if not specified.
                type: boolean
            required:
            - context
            - deleteDownstream
            - policy
            - resource
            - rule
            type: object
          status:
            description: Status contains statistics related to update request.
            properties:
              generatedResources:
                description: This will track the resources that are updated by the
                  generate Policy. Will be used during clean up resources.
                items:
                  properties:
                    apiVersion:
                      description: APIVersion specifies resource apiVersion.
                      type: string
                    kind:
                      description: Kind specifies resource kind.
                      type: string
                    name:
                      description: Name specifies the resource name.
                      type: string
                    namespace:
                      description: Namespace specifies resource namespace.
                      type: string
                  type: object
                type: array
              handler:
                description: Handler represents the instance ID that handles the UR
                  Deprecated
                type: string
              message:
                description: Specifies request status message.
                type: string
              state:
                description: State represents state of the update request.
                type: string
            required:
            - state
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  annotations:
    controller-gen.kubebuilder.io/version: v0.12.0
  name: clusterpolicyreports.wgpolicyk8s.io
spec:
  group: wgpolicyk8s.io
  names:
    kind: ClusterPolicyReport
    listKind: ClusterPolicyReportList
    plural: clusterpolicyreports
    shortNames:
    - cpolr
    singular: clusterpolicyreport
  scope: Cluster
  versions:
  - additionalPrinterColumns:
    - jsonPath: .scope.kind
      name: Kind
      priority: 1
      type: string
    - jsonPath: .scope.name
      name: Name
      priority: 1
      type: string
    - jsonPath: .summary.pass
      name: Pass
      type: integer
    - jsonPath: .summary.fail
      name: Fail
      type: integer
    - jsonPath: .summary.warn
      name: Warn
      type: integer
    - jsonPath: .summary.error
      name: Error
      type: integer
    - jsonPath: .summary.skip
      name: Skip
      type: integer
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v1alpha2
    schema:
      openAPIV3Schema:
        description: ClusterPolicyReport is the Schema for the clusterpolicyreports
          API
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          results:
            description: PolicyReportResult provides result details
            items:
              description: PolicyReportResult provides the result for an individual
                policy
              properties:
                category:
                  description: Category indicates policy category
                  type: string
                message:
                  description: Description is a short user friendly message for the
                    policy rule
                  type: string
                policy:
                  description: Policy is the name or identifier of the policy
                  type: string
                properties:
                  additionalProperties:
                    type: string
                  description: Properties provides additional information for the
                    policy rule
                  type: object
                resourceSelector:
                  description: SubjectSelector is an optional label selector for checked
                    Kubernetes resources. For example, a policy result may apply to
                    all pods that match a label. Either a Subject or a SubjectSelector
                    can be specified. If neither are provided, the result is assumed
                    to be for the policy report scope.
                  properties:
                    matchExpressions:
                      description: matchExpressions is a list of label selector requirements.
                        The requirements are ANDed.
                      items:
                        description: A label selector requirement is a selector that
                          contains values, a key, and an operator that relates the
                          key and values.
                        properties:
                          key:
                            description: key is the label key that the selector applies
                              to.
                            type: string
                          operator:
                            description: operator represents a key's relationship
                              to a set of values. Valid operators are In, NotIn, Exists
                              and DoesNotExist.
                            type: string
                          values:
                            description: values is an array of string values. If the
                              operator is In or NotIn, the values array must be non-empty.
                              If the operator is Exists or DoesNotExist, the values
                              array must be empty. This array is replaced during a
                              strategic merge patch.
                            items:
                              type: string
                            type: array
                        required:
                        - key
                        - operator
                        type: object
                      type: array
                    matchLabels:
                      additionalProperties:
                        type: string
                      description: matchLabels is a map of {key,value} pairs. A single
                        {key,value} in the matchLabels map is equivalent to an element
                        of matchExpressions, whose key field is "key", the operator
                        is "In", and the values array contains only "value". The requirements
                        are ANDed.
                      type: object
                  type: object
                  x-kubernetes-map-type: atomic
                resources:
                  description: Subjects is an optional reference to the checked Kubernetes
                    resources
                  items:
                    description: "ObjectReference contains enough information to let
                      you inspect or modify the referred object. --- New uses of this
                      type are discouraged because of difficulty describing its usage
                      when embedded in APIs. 1. Ignored fields.  It includes many
                      fields which are not generally honored.  For instance, ResourceVersion
                      and FieldPath are both very rarely valid in actual usage. 2.
                      Invalid usage help.  It is impossible to add specific help for
                      individual usage.  In most embedded usages, there are particular
                      restrictions like, \"must refer only to types A and B\" or \"UID
                      not honored\" or \"name must be restricted\". Those cannot be
                      well described when embedded. 3. Inconsistent validation.  Because
                      the usages are different, the validation rules are different
                      by usage, which makes it hard for users to predict what will
                      happen. 4. The fields are both imprecise and overly precise.
                      \ Kind is not a precise mapping to a URL. This can produce ambiguity
                      during interpretation and require a REST mapping.  In most cases,
                      the dependency is on the group,resource tuple and the version
                      of the actual struct is irrelevant. 5. We cannot easily change
                      it.  Because this type is embedded in many locations, updates
                      to this type will affect numerous schemas.  Don't make new APIs
                      embed an underspecified API type they do not control. \n Instead
                      of using this type, create a locally provided and used type
                      that is well-focused on your reference. For example, ServiceReferences
                      for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                      ."
                    properties:
                      apiVersion:
                        description: API version of the referent.
                        type: string
                      fieldPath:
                        description: 'If referring to a piece of an object instead
                          of an entire object, this string should contain a valid
                          JSON/Go field access statement, such as desiredState.manifest.containers[2].
                          For example, if the object reference is to a container within
                          a pod, this would take on a value like: "spec.containers{name}"
                          (where "name" refers to the name of the container that triggered
                          the event) or if no container name is specified "spec.containers[2]"
                          (container with index 2 in this pod). This syntax is chosen
                          only to have some well-defined way of referencing a part
                          of an object. TODO: this design is not final and this field
                          is subject to change in the future.'
                        type: string
                      kind:
                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
                        type: string
                      name:
                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
                        type: string
                      namespace:
                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
                        type: string
                      resourceVersion:
                        description: 'Specific resourceVersion to which this reference
                          is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
                        type: string
                      uid:
                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                        type: string
                    type: object
                    x-kubernetes-map-type: atomic
                  type: array
                result:
                  description: Result indicates the outcome of the policy rule execution
                  enum:
                  - pass
                  - fail
                  - warn
                  - error
                  - skip
                  type: string
                rule:
                  description: Rule is the name or identifier of the rule within the
                    policy
                  type: string
                scored:
                  description: Scored indicates if this result is scored
                  type: boolean
                severity:
                  description: Severity indicates policy check result criticality
                  enum:
                  - critical
                  - high
                  - low
                  - medium
                  - info
                  type: string
                source:
                  description: Source is an identifier for the policy engine that
                    manages this report
                  type: string
                timestamp:
                  description: Timestamp indicates the time the result was found
                  properties:
                    nanos:
                      description: Non-negative fractions of a second at nanosecond
                        resolution. Negative second values with fractions must still
                        have non-negative nanos values that count forward in time.
                        Must be from 0 to 999,999,999 inclusive. This field may be
                        limited in precision depending on context.
                      format: int32
                      type: integer
                    seconds:
                      description: Represents seconds of UTC time since Unix epoch
                        1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
                        9999-12-31T23:59:59Z inclusive.
                      format: int64
                      type: integer
                  required:
                  - nanos
                  - seconds
                  type: object
              required:
              - policy
              type: object
            type: array
          scope:
            description: Scope is an optional reference to the report scope (e.g.
              a Deployment, Namespace, or Node)
            properties:
              apiVersion:
                description: API version of the referent.
                type: string
              fieldPath:
                description: 'If referring to a piece of an object instead of an entire
                  object, this string should contain a valid JSON/Go field access
                  statement, such as desiredState.manifest.containers[2]. For example,
                  if the object reference is to a container within a pod, this would
                  take on a value like: "spec.containers{name}" (where "name" refers
                  to the name of the container that triggered the event) or if no
                  container name is specified "spec.containers[2]" (container with
                  index 2 in this pod). This syntax is chosen only to have some well-defined
                  way of referencing a part of an object. TODO: this design is not
                  final and this field is subject to change in the future.'
                type: string
              kind:
                description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
                type: string
              name:
                description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
                type: string
              namespace:
                description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
                type: string
              resourceVersion:
                description: 'Specific resourceVersion to which this reference is
                  made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
                type: string
              uid:
                description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                type: string
            type: object
            x-kubernetes-map-type: atomic
          scopeSelector:
            description: ScopeSelector is an optional selector for multiple scopes
              (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
              should be specified.
            properties:
              matchExpressions:
                description: matchExpressions is a list of label selector requirements.
                  The requirements are ANDed.
                items:
                  description: A label selector requirement is a selector that contains
                    values, a key, and an operator that relates the key and values.
                  properties:
                    key:
                      description: key is the label key that the selector applies
                        to.
                      type: string
                    operator:
                      description: operator represents a key's relationship to a set
                        of values. Valid operators are In, NotIn, Exists and DoesNotExist.
                      type: string
                    values:
                      description: values is an array of string values. If the operator
                        is In or NotIn, the values array must be non-empty. If the
                        operator is Exists or DoesNotExist, the values array must
                        be empty. This array is replaced during a strategic merge
                        patch.
                      items:
                        type: string
                      type: array
                  required:
                  - key
                  - operator
                  type: object
                type: array
              matchLabels:
                additionalProperties:
                  type: string
                description: matchLabels is a map of {key,value} pairs. A single {key,value}
                  in the matchLabels map is equivalent to an element of matchExpressions,
                  whose key field is "key", the operator is "In", and the values array
                  contains only "value". The requirements are ANDed.
                type: object
            type: object
            x-kubernetes-map-type: atomic
          summary:
            description: PolicyReportSummary provides a summary of results
            properties:
              error:
                description: Error provides the count of policies that could not be
                  evaluated
                type: integer
              fail:
                description: Fail provides the count of policies whose requirements
                  were not met
                type: integer
              pass:
                description: Pass provides the count of policies whose requirements
                  were met
                type: integer
              skip:
                description: Skip indicates the count of policies that were not selected
                  for evaluation
                type: integer
              warn:
                description: Warn provides the count of non-scored policies whose
                  requirements were not met
                type: integer
            type: object
        type: object
    served: true
    storage: true
    subresources: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  annotations:
    controller-gen.kubebuilder.io/version: v0.12.0
  name: policyreports.wgpolicyk8s.io
spec:
  group: wgpolicyk8s.io
  names:
    kind: PolicyReport
    listKind: PolicyReportList
    plural: policyreports
    shortNames:
    - polr
    singular: policyreport
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - jsonPath: .scope.kind
      name: Kind
      priority: 1
      type: string
    - jsonPath: .scope.name
      name: Name
      priority: 1
      type: string
    - jsonPath: .summary.pass
      name: Pass
      type: integer
    - jsonPath: .summary.fail
      name: Fail
      type: integer
    - jsonPath: .summary.warn
      name: Warn
      type: integer
    - jsonPath: .summary.error
      name: Error
      type: integer
    - jsonPath: .summary.skip
      name: Skip
      type: integer
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v1alpha2
    schema:
      openAPIV3Schema:
        description: PolicyReport is the Schema for the policyreports API
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          results:
            description: PolicyReportResult provides result details
            items:
              description: PolicyReportResult provides the result for an individual
                policy
              properties:
                category:
                  description: Category indicates policy category
                  type: string
                message:
                  description: Description is a short user friendly message for the
                    policy rule
                  type: string
                policy:
                  description: Policy is the name or identifier of the policy
                  type: string
                properties:
                  additionalProperties:
                    type: string
                  description: Properties provides additional information for the
                    policy rule
                  type: object
                resourceSelector:
                  description: SubjectSelector is an optional label selector for checked
                    Kubernetes resources. For example, a policy result may apply to
                    all pods that match a label. Either a Subject or a SubjectSelector
                    can be specified. If neither are provided, the result is assumed
                    to be for the policy report scope.
                  properties:
                    matchExpressions:
                      description: matchExpressions is a list of label selector requirements.
                        The requirements are ANDed.
                      items:
                        description: A label selector requirement is a selector that
                          contains values, a key, and an operator that relates the
                          key and values.
                        properties:
                          key:
                            description: key is the label key that the selector applies
                              to.
                            type: string
                          operator:
                            description: operator represents a key's relationship
                              to a set of values. Valid operators are In, NotIn, Exists
                              and DoesNotExist.
                            type: string
                          values:
                            description: values is an array of string values. If the
                              operator is In or NotIn, the values array must be non-empty.
                              If the operator is Exists or DoesNotExist, the values
                              array must be empty. This array is replaced during a
                              strategic merge patch.
                            items:
                              type: string
                            type: array
                        required:
                        - key
                        - operator
                        type: object
                      type: array
                    matchLabels:
                      additionalProperties:
                        type: string
                      description: matchLabels is a map of {key,value} pairs. A single
                        {key,value} in the matchLabels map is equivalent to an element
                        of matchExpressions, whose key field is "key", the operator
                        is "In", and the values array contains only "value". The requirements
                        are ANDed.
                      type: object
                  type: object
                  x-kubernetes-map-type: atomic
                resources:
                  description: Subjects is an optional reference to the checked Kubernetes
                    resources
                  items:
                    description: "ObjectReference contains enough information to let
                      you inspect or modify the referred object. --- New uses of this
                      type are discouraged because of difficulty describing its usage
                      when embedded in APIs. 1. Ignored fields.  It includes many
                      fields which are not generally honored.  For instance, ResourceVersion
                      and FieldPath are both very rarely valid in actual usage. 2.
                      Invalid usage help.  It is impossible to add specific help for
                      individual usage.  In most embedded usages, there are particular
                      restrictions like, \"must refer only to types A and B\" or \"UID
                      not honored\" or \"name must be restricted\". Those cannot be
                      well described when embedded. 3. Inconsistent validation.  Because
                      the usages are different, the validation rules are different
                      by usage, which makes it hard for users to predict what will
                      happen. 4. The fields are both imprecise and overly precise.
                      \ Kind is not a precise mapping to a URL. This can produce ambiguity
                      during interpretation and require a REST mapping.  In most cases,
                      the dependency is on the group,resource tuple and the version
                      of the actual struct is irrelevant. 5. We cannot easily change
                      it.  Because this type is embedded in many locations, updates
                      to this type will affect numerous schemas.  Don't make new APIs
                      embed an underspecified API type they do not control. \n Instead
                      of using this type, create a locally provided and used type
                      that is well-focused on your reference. For example, ServiceReferences
                      for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                      ."
                    properties:
                      apiVersion:
                        description: API version of the referent.
                        type: string
                      fieldPath:
                        description: 'If referring to a piece of an object instead
                          of an entire object, this string should contain a valid
                          JSON/Go field access statement, such as desiredState.manifest.containers[2].
                          For example, if the object reference is to a container within
                          a pod, this would take on a value like: "spec.containers{name}"
                          (where "name" refers to the name of the container that triggered
                          the event) or if no container name is specified "spec.containers[2]"
                          (container with index 2 in this pod). This syntax is chosen
                          only to have some well-defined way of referencing a part
                          of an object. TODO: this design is not final and this field
                          is subject to change in the future.'
                        type: string
                      kind:
                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
                        type: string
                      name:
                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
                        type: string
                      namespace:
                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
                        type: string
                      resourceVersion:
                        description: 'Specific resourceVersion to which this reference
                          is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
                        type: string
                      uid:
                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                        type: string
                    type: object
                    x-kubernetes-map-type: atomic
                  type: array
                result:
                  description: Result indicates the outcome of the policy rule execution
                  enum:
                  - pass
                  - fail
                  - warn
                  - error
                  - skip
                  type: string
                rule:
                  description: Rule is the name or identifier of the rule within the
                    policy
                  type: string
                scored:
                  description: Scored indicates if this result is scored
                  type: boolean
                severity:
                  description: Severity indicates policy check result criticality
                  enum:
                  - critical
                  - high
                  - low
                  - medium
                  - info
                  type: string
                source:
                  description: Source is an identifier for the policy engine that
                    manages this report
                  type: string
                timestamp:
                  description: Timestamp indicates the time the result was found
                  properties:
                    nanos:
                      description: Non-negative fractions of a second at nanosecond
                        resolution. Negative second values with fractions must still
                        have non-negative nanos values that count forward in time.
                        Must be from 0 to 999,999,999 inclusive. This field may be
                        limited in precision depending on context.
                      format: int32
                      type: integer
                    seconds:
                      description: Represents seconds of UTC time since Unix epoch
                        1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
                        9999-12-31T23:59:59Z inclusive.
                      format: int64
                      type: integer
                  required:
                  - nanos
                  - seconds
                  type: object
              required:
              - policy
              type: object
            type: array
          scope:
            description: Scope is an optional reference to the report scope (e.g.
              a Deployment, Namespace, or Node)
            properties:
              apiVersion:
                description: API version of the referent.
                type: string
              fieldPath:
                description: 'If referring to a piece of an object instead of an entire
                  object, this string should contain a valid JSON/Go field access
                  statement, such as desiredState.manifest.containers[2]. For example,
                  if the object reference is to a container within a pod, this would
                  take on a value like: "spec.containers{name}" (where "name" refers
                  to the name of the container that triggered the event) or if no
                  container name is specified "spec.containers[2]" (container with
                  index 2 in this pod). This syntax is chosen only to have some well-defined
                  way of referencing a part of an object. TODO: this design is not
                  final and this field is subject to change in the future.'
                type: string
              kind:
                description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
                type: string
              name:
                description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
                type: string
              namespace:
                description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
                type: string
              resourceVersion:
                description: 'Specific resourceVersion to which this reference is
                  made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
                type: string
              uid:
                description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                type: string
            type: object
            x-kubernetes-map-type: atomic
          scopeSelector:
            description: ScopeSelector is an optional selector for multiple scopes
              (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
              should be specified.
            properties:
              matchExpressions:
                description: matchExpressions is a list of label selector requirements.
                  The requirements are ANDed.
                items:
                  description: A label selector requirement is a selector that contains
                    values, a key, and an operator that relates the key and values.
                  properties:
                    key:
                      description: key is the label key that the selector applies
                        to.
                      type: string
                    operator:
                      description: operator represents a key's relationship to a set
                        of values. Valid operators are In, NotIn, Exists and DoesNotExist.
                      type: string
                    values:
                      description: values is an array of string values. If the operator
                        is In or NotIn, the values array must be non-empty. If the
                        operator is Exists or DoesNotExist, the values array must
                        be empty. This array is replaced during a strategic merge
                        patch.
                      items:
                        type: string
                      type: array
                  required:
                  - key
                  - operator
                  type: object
                type: array
              matchLabels:
                additionalProperties:
                  type: string
                description: matchLabels is a map of {key,value} pairs. A single {key,value}
                  in the matchLabels map is equivalent to an element of matchExpressions,
                  whose key field is "key", the operator is "In", and the values array
                  contains only "value". The requirements are ANDed.
                type: object
            type: object
            x-kubernetes-map-type: atomic
          summary:
            description: PolicyReportSummary provides a summary of results
            properties:
              error:
                description: Error provides the count of policies that could not be
                  evaluated
                type: integer
              fail:
                description: Fail provides the count of policies whose requirements
                  were not met
                type: integer
              pass:
                description: Pass provides the count of policies whose requirements
                  were met
                type: integer
              skip:
                description: Skip indicates the count of policies that were not selected
                  for evaluation
                type: integer
              warn:
                description: Warn provides the count of non-scored policies whose
                  requirements were not met
                type: integer
            type: object
        type: object
    served: true
    storage: true
    subresources: {}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:admission-controller
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
aggregationRule:
  clusterRoleSelectors:
    - matchLabels:
        app.kubernetes.io/component: admission-controller
        app.kubernetes.io/instance: kyverno
        app.kubernetes.io/part-of: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:admission-controller:core
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
rules:
  - apiGroups:
      - admissionregistration.k8s.io
    resources:
      - mutatingwebhookconfigurations
      - validatingwebhookconfigurations
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
      - deletecollection
  - apiGroups:
      - rbac.authorization.k8s.io
    resources:
      - roles
      - clusterroles
      - rolebindings
      - clusterrolebindings
    verbs:
      - watch
      - list
  - apiGroups:
      - kyverno.io
    resources:
      - policies
      - policies/status
      - clusterpolicies
      - clusterpolicies/status
      - updaterequests
      - updaterequests/status
      - admissionreports
      - clusteradmissionreports
      - backgroundscanreports
      - clusterbackgroundscanreports
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
      - deletecollection
  - apiGroups:
      - wgpolicyk8s.io
    resources:
      - policyreports
      - policyreports/status
      - clusterpolicyreports
      - clusterpolicyreports/status
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
      - deletecollection
  - apiGroups:
      - ''
      - events.k8s.io
    resources:
      - events
    verbs:
      - create
      - update
      - patch
  - apiGroups:
      - authorization.k8s.io
    resources:
      - subjectaccessreviews
    verbs:
      - create
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:background-controller
  labels:
    app.kubernetes.io/component: background-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
aggregationRule:
  clusterRoleSelectors:
    - matchLabels:
        app.kubernetes.io/component: background-controller
        app.kubernetes.io/instance: kyverno
        app.kubernetes.io/part-of: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:background-controller:core
  labels:
    app.kubernetes.io/component: background-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
rules:
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - kyverno.io
    resources:
      - updaterequests
      - updaterequests/status
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
      - deletecollection
  - apiGroups:
      - ''
      - events.k8s.io
    resources:
      - events
    verbs:
      - create
      - update
      - patch
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
      - ingressclasses
      - networkpolicies
    verbs:
      - create
      - update
      - patch
      - delete
  - apiGroups:
      - ""
    resources:
      - configmaps
      - secrets
      - resourcequotas
      - limitranges
    verbs:
      - create
      - update
      - patch
      - delete
  - apiGroups:
      - rbac.authorization.k8s.io
    resources:
      - rolebindings
      - roles
    verbs:
      - create
      - update
      - patch
      - delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:cleanup-controller
  labels:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
aggregationRule:
  clusterRoleSelectors:
    - matchLabels:
        app.kubernetes.io/component: cleanup-controller
        app.kubernetes.io/instance: kyverno
        app.kubernetes.io/part-of: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:cleanup-controller:core
  labels:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
rules:
  - apiGroups:
      - admissionregistration.k8s.io
    resources:
      - validatingwebhookconfigurations
    verbs:
      - create
      - delete
      - get
      - list
      - update
      - watch
  - apiGroups:
      - ''
    resources:
      - namespaces
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - kyverno.io
    resources:
      - clustercleanuppolicies
      - cleanuppolicies
    verbs:
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - configmaps
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - batch
    resources:
      - cronjobs
    verbs:
      - create
      - delete
      - get
      - list
      - update
      - watch
  - apiGroups:
      - ''
      - events.k8s.io
    resources:
      - events
    verbs:
      - create
      - patch
      - update
  - apiGroups:
      - authorization.k8s.io
    resources:
      - subjectaccessreviews
    verbs:
      - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno-cleanup-jobs
  labels:
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
rules:
  - apiGroups:
      - kyverno.io
    resources:
      - admissionreports
      - clusteradmissionreports
    verbs:
      - list
      - deletecollection
      - delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:rbac:admin:policies
  labels:
    app.kubernetes.io/component: rbac
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
  - apiGroups:
      - kyverno.io
    resources:
      - cleanuppolicies
      - clustercleanuppolicies
      - policies
      - clusterpolicies
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:rbac:view:policies
  labels:
    app.kubernetes.io/component: rbac
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
    rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
  - apiGroups:
      - kyverno.io
    resources:
      - cleanuppolicies
      - clustercleanuppolicies
      - policies
      - clusterpolicies
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:rbac:admin:policyreports
  labels:
    app.kubernetes.io/component: rbac
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
  - apiGroups:
      - wgpolicyk8s.io
    resources:
      - policyreports
      - clusterpolicyreports
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:rbac:view:policyreports
  labels:
    app.kubernetes.io/component: rbac
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
    rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
  - apiGroups:
      - wgpolicyk8s.io
    resources:
      - policyreports
      - clusterpolicyreports
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:rbac:admin:reports
  labels:
    app.kubernetes.io/component: rbac
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
  - apiGroups:
      - kyverno.io
    resources:
      - admissionreports
      - clusteradmissionreports
      - backgroundscanreports
      - clusterbackgroundscanreports
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:rbac:view:reports
  labels:
    app.kubernetes.io/component: rbac
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
    rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
  - apiGroups:
      - kyverno.io
    resources:
      - admissionreports
      - clusteradmissionreports
      - backgroundscanreports
      - clusterbackgroundscanreports
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:rbac:admin:updaterequests
  labels:
    app.kubernetes.io/component: rbac
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
  - apiGroups:
      - kyverno.io
    resources:
      - updaterequests
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:rbac:view:updaterequests
  labels:
    app.kubernetes.io/component: rbac
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
    rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
  - apiGroups:
      - kyverno.io
    resources:
      - updaterequests
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:reports-controller
  labels:
    app.kubernetes.io/component: reports-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
aggregationRule:
  clusterRoleSelectors:
    - matchLabels:
        app.kubernetes.io/component: reports-controller
        app.kubernetes.io/instance: kyverno
        app.kubernetes.io/part-of: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:reports-controller:core
  labels:
    app.kubernetes.io/component: reports-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
rules:
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - kyverno.io
    resources:
      - admissionreports
      - clusteradmissionreports
      - backgroundscanreports
      - clusterbackgroundscanreports
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
      - deletecollection
  - apiGroups:
      - wgpolicyk8s.io
    resources:
      - policyreports
      - policyreports/status
      - clusterpolicyreports
      - clusterpolicyreports/status
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
      - deletecollection
  - apiGroups:
      - ''
      - events.k8s.io
    resources:
      - events
    verbs:
      - create
      - patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kyverno:admission-controller
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kyverno:admission-controller
subjects:
  - kind: ServiceAccount
    name: kyverno-admission-controller
    namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kyverno:background-controller
  labels:
    app.kubernetes.io/component: background-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kyverno:background-controller
subjects:
- kind: ServiceAccount
  name: kyverno-background-controller
  namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kyverno:cleanup-controller
  labels:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kyverno:cleanup-controller
subjects:
- kind: ServiceAccount
  name: kyverno-cleanup-controller
  namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kyverno-cleanup-jobs
  labels:
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kyverno-cleanup-jobs
subjects:
  - kind: ServiceAccount
    name: kyverno-cleanup-jobs
    namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kyverno:reports-controller
  labels:
    app.kubernetes.io/component: reports-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kyverno:reports-controller
subjects:
- kind: ServiceAccount
  name: kyverno-reports-controller
  namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: kyverno:admission-controller
  namespace: kyverno
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
rules:
  - apiGroups:
      - ''
    resources:
      - secrets
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - delete
  - apiGroups:
      - ''
    resources:
      - configmaps
    verbs:
      - get
      - list
      - watch
    resourceNames:
      - kyverno
      - kyverno-metrics
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - create
      - delete
      - get
      - patch
      - update
  # Allow update of Kyverno deployment annotations
  - apiGroups:
      - apps
    resources:
      - deployments
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: kyverno:background-controller
  labels:
    app.kubernetes.io/component: background-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  namespace: kyverno
rules:
  - apiGroups:
      - ''
    resources:
      - configmaps
    verbs:
      - get
      - list
      - watch
    resourceNames:
      - kyverno
      - kyverno-metrics
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - create
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - delete
      - get
      - patch
      - update
    resourceNames:
      - kyverno-background-controller
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: kyverno:cleanup-controller
  labels:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  namespace: kyverno
rules:
  - apiGroups:
      - ''
    resources:
      - secrets
    verbs:
      - create
  - apiGroups:
      - ''
    resources:
      - secrets
    verbs:
      - delete
      - get
      - list
      - update
      - watch
    resourceNames:
      - kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca
      - kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair
  - apiGroups:
      - ''
    resources:
      - configmaps
    verbs:
      - get
      - list
      - watch
    resourceNames:
      - kyverno
      - kyverno-metrics
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - create
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - delete
      - get
      - patch
      - update
    resourceNames:
      - kyverno-cleanup-controller
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: kyverno:reports-controller
  labels:
    app.kubernetes.io/component: reports-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  namespace: kyverno
rules:
  - apiGroups:
      - ''
    resources:
      - configmaps
    verbs:
      - get
      - list
      - watch
    resourceNames:
      - kyverno
      - kyverno-metrics
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - create
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - delete
      - get
      - patch
      - update
    resourceNames:
      - kyverno-reports-controller
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kyverno:admission-controller
  namespace: kyverno
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kyverno:admission-controller
subjects:
  - kind: ServiceAccount
    name: kyverno-admission-controller
    namespace: kyverno
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kyverno:background-controller
  labels:
    app.kubernetes.io/component: background-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  namespace: kyverno
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kyverno:background-controller
subjects:
  - kind: ServiceAccount
    name: kyverno-background-controller
    namespace: kyverno
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kyverno:cleanup-controller
  labels:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  namespace: kyverno
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kyverno:cleanup-controller
subjects:
  - kind: ServiceAccount
    name: kyverno-cleanup-controller
    namespace: kyverno
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kyverno:reports-controller
  labels:
    app.kubernetes.io/component: reports-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  namespace: kyverno
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kyverno:reports-controller
subjects:
  - kind: ServiceAccount
    name: kyverno-reports-controller
    namespace: kyverno
---
apiVersion: v1
kind: Service
metadata:
  name: kyverno-svc
  namespace: kyverno
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
spec:
  ports:
  - port: 443
    targetPort: https
    protocol: TCP
    name: https
  selector:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
  type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
  name: kyverno-svc-metrics
  namespace: kyverno
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
spec:
  ports:
  - port: 8000
    targetPort: 8000
    protocol: TCP
    name: metrics-port
  selector:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
  type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
  name: kyverno-background-controller-metrics
  namespace: kyverno
  labels:
    app.kubernetes.io/component: background-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
spec:
  ports:
  - port: 8000
    targetPort: 8000
    protocol: TCP
    name: metrics-port
  selector:
    app.kubernetes.io/component: background-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
  type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
  name: kyverno-cleanup-controller
  namespace: kyverno
  labels:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
spec:
  ports:
  - port: 443
    targetPort: https
    protocol: TCP
    name: https
  selector:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
  type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
  name: kyverno-cleanup-controller-metrics
  namespace: kyverno
  labels:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
spec:
  ports:
  - port: 8000
    targetPort: 8000
    protocol: TCP
    name: metrics-port
  selector:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
  type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
  name: kyverno-reports-controller-metrics
  namespace: kyverno
  labels:
    app.kubernetes.io/component: reports-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
spec:
  ports:
  - port: 8000
    targetPort: 8000
    protocol: TCP
    name: metrics-port
  selector:
    app.kubernetes.io/component: reports-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
  type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: kyverno-admission-controller
  namespace: kyverno
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
spec:
  replicas: 
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 40%
    type: RollingUpdate
  selector:
    matchLabels:
      app.kubernetes.io/component: admission-controller
      app.kubernetes.io/instance: kyverno
      app.kubernetes.io/part-of: kyverno
  template:
    metadata:
      labels:
        app.kubernetes.io/component: admission-controller
        app.kubernetes.io/instance: kyverno
        app.kubernetes.io/part-of: kyverno
        app.kubernetes.io/version: latest
    spec:
      dnsPolicy: ClusterFirst
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app.kubernetes.io/component
                  operator: In
                  values:
                  - admission-controller
              topologyKey: kubernetes.io/hostname
            weight: 1
      serviceAccountName: kyverno-admission-controller
      initContainers:
        - name: kyverno-pre
          image: "ghcr.io/kyverno/kyvernopre:latest"
          imagePullPolicy: IfNotPresent
          args:
            - --loggingFormat=text
            - --v=2
          resources:
            limits:
              cpu: 100m
              memory: 256Mi
            requests:
              cpu: 10m
              memory: 64Mi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
          env:
          - name: KYVERNO_SERVICEACCOUNT_NAME
            value: kyverno-admission-controller
          - name: INIT_CONFIG
            value: kyverno
          - name: METRICS_CONFIG
            value: kyverno-metrics
          - name: KYVERNO_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: KYVERNO_POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: KYVERNO_DEPLOYMENT
            value: kyverno-admission-controller
          - name: KYVERNO_SVC
            value: kyverno-svc
      containers:
        - name: kyverno
          image: "ghcr.io/kyverno/kyverno:latest"
          imagePullPolicy: IfNotPresent
          args:
            - --backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller
            - --servicePort=443
            - --disableMetrics=false
            - --otelConfig=prometheus
            - --metricsPort=8000
            - --admissionReports=true
            - --autoUpdateWebhooks=true
            - --enableConfigMapCaching=true
            - --enableDeferredLoading=true
            - --dumpPayload=false
            - --forceFailurePolicyIgnore=false
            - --loggingFormat=text
            - --v=2
            - --enablePolicyException=false
            - --protectManagedResources=false
            - --allowInsecureRegistry=false
            - --registryCredentialHelpers=default,google,amazon,azure,github
          resources:
            limits:
              memory: 384Mi
            requests:
              cpu: 100m
              memory: 128Mi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
          ports:
          - containerPort: 9443
            name: https
            protocol: TCP
          - containerPort: 8000
            name: metrics-port
            protocol: TCP
          env:
          - name: INIT_CONFIG
            value: kyverno
          - name: METRICS_CONFIG
            value: kyverno-metrics
          - name: KYVERNO_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: KYVERNO_POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: KYVERNO_SERVICEACCOUNT_NAME
            value: kyverno-admission-controller
          - name: KYVERNO_SVC
            value: kyverno-svc
          - name: TUF_ROOT
            value: /.sigstore
          - name: KYVERNO_DEPLOYMENT
            value: kyverno-admission-controller
          startupProbe:
            failureThreshold: 20
            httpGet:
              path: /health/liveness
              port: 9443
              scheme: HTTPS
            initialDelaySeconds: 2
            periodSeconds: 6
          livenessProbe:
            failureThreshold: 2
            httpGet:
              path: /health/liveness
              port: 9443
              scheme: HTTPS
            initialDelaySeconds: 15
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 5
          readinessProbe:
            failureThreshold: 6
            httpGet:
              path: /health/readiness
              port: 9443
              scheme: HTTPS
            initialDelaySeconds: 5
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5
          volumeMounts:
            - mountPath: /.sigstore
              name: sigstore
      volumes:
      - name: sigstore
        emptyDir: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: kyverno-background-controller
  namespace: kyverno
  labels:
    app.kubernetes.io/component: background-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
spec:
  replicas: 
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 40%
    type: RollingUpdate
  selector:
    matchLabels:
      app.kubernetes.io/component: background-controller
      app.kubernetes.io/instance: kyverno
      app.kubernetes.io/part-of: kyverno
  template:
    metadata:
      labels:
        app.kubernetes.io/component: background-controller
        app.kubernetes.io/instance: kyverno
        app.kubernetes.io/part-of: kyverno
        app.kubernetes.io/version: latest
    spec:
      dnsPolicy: ClusterFirst
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app.kubernetes.io/component
                  operator: In
                  values:
                  - background-controller
              topologyKey: kubernetes.io/hostname
            weight: 1
      serviceAccountName: kyverno-background-controller
      containers:
        - name: controller
          image: "ghcr.io/kyverno/background-controller:latest"
          ports:
          - containerPort: 9443
            name: https
            protocol: TCP
          - containerPort: 8000
            name: metrics
            protocol: TCP
          args:
            - --disableMetrics=false
            - --otelConfig=prometheus
            - --metricsPort=8000
            - --enableConfigMapCaching=true
            - --enableDeferredLoading=true
            - --loggingFormat=text
            - --v=2
            - --enablePolicyException=false
          env:
          - name: KYVERNO_SERVICEACCOUNT_NAME
            value: kyverno-background-controller
          - name: KYVERNO_DEPLOYMENT
            value: kyverno-background-controller
          - name: INIT_CONFIG
            value: kyverno
          - name: METRICS_CONFIG
            value: kyverno-metrics
          - name: KYVERNO_POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: KYVERNO_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          resources:
            limits:
              memory: 128Mi
            requests:
              cpu: 100m
              memory: 64Mi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: kyverno-cleanup-controller
  namespace: kyverno
  labels:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
spec:
  replicas: 
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 40%
    type: RollingUpdate
  selector:
    matchLabels:
      app.kubernetes.io/component: cleanup-controller
      app.kubernetes.io/instance: kyverno
      app.kubernetes.io/part-of: kyverno
  template:
    metadata:
      labels:
        app.kubernetes.io/component: cleanup-controller
        app.kubernetes.io/instance: kyverno
        app.kubernetes.io/part-of: kyverno
        app.kubernetes.io/version: latest
    spec:
      dnsPolicy: ClusterFirst
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app.kubernetes.io/component
                  operator: In
                  values:
                  - cleanup-controller
              topologyKey: kubernetes.io/hostname
            weight: 1
      serviceAccountName: kyverno-cleanup-controller
      containers:
        - name: controller
          image: "ghcr.io/kyverno/cleanup-controller:latest"
          ports:
          - containerPort: 9443
            name: https
            protocol: TCP
          - containerPort: 8000
            name: metrics
            protocol: TCP
          args:
            - --servicePort=443
            - --disableMetrics=false
            - --otelConfig=prometheus
            - --metricsPort=8000
            - --enableDeferredLoading=true
            - --dumpPayload=false
            - --loggingFormat=text
            - --v=2
            - --ttlReconciliationInterval=1m
          env:
          - name: KYVERNO_DEPLOYMENT
            value: kyverno-cleanup-controller
          - name: INIT_CONFIG
            value: kyverno
          - name: METRICS_CONFIG
            value: kyverno-metrics
          - name: KYVERNO_POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: KYVERNO_SERVICEACCOUNT_NAME
            value: kyverno-cleanup-controller
          - name: KYVERNO_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: KYVERNO_SVC
            value: kyverno-cleanup-controller
          resources:
            limits:
              memory: 128Mi
            requests:
              cpu: 100m
              memory: 64Mi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
          startupProbe:
            failureThreshold: 20
            httpGet:
              path: /health/liveness
              port: 9443
              scheme: HTTPS
            initialDelaySeconds: 2
            periodSeconds: 6
          livenessProbe:
            failureThreshold: 2
            httpGet:
              path: /health/liveness
              port: 9443
              scheme: HTTPS
            initialDelaySeconds: 15
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 5
          readinessProbe:
            failureThreshold: 6
            httpGet:
              path: /health/readiness
              port: 9443
              scheme: HTTPS
            initialDelaySeconds: 5
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: kyverno-reports-controller
  namespace: kyverno
  labels:
    app.kubernetes.io/component: reports-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
spec:
  replicas: 
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 40%
    type: RollingUpdate
  selector:
    matchLabels:
      app.kubernetes.io/component: reports-controller
      app.kubernetes.io/instance: kyverno
      app.kubernetes.io/part-of: kyverno
  template:
    metadata:
      labels:
        app.kubernetes.io/component: reports-controller
        app.kubernetes.io/instance: kyverno
        app.kubernetes.io/part-of: kyverno
        app.kubernetes.io/version: latest
    spec:
      dnsPolicy: ClusterFirst
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app.kubernetes.io/component
                  operator: In
                  values:
                  - reports-controller
              topologyKey: kubernetes.io/hostname
            weight: 1
      serviceAccountName: kyverno-reports-controller
      containers:
        - name: controller
          image: "ghcr.io/kyverno/reports-controller:latest"
          ports:
          - containerPort: 9443
            name: https
            protocol: TCP
          - containerPort: 8000
            name: metrics
            protocol: TCP
          args:
            - --disableMetrics=false
            - --otelConfig=prometheus
            - --metricsPort=8000
            - --admissionReports=true
            - --aggregateReports=true
            - --policyReports=true
            - --backgroundScan=true
            - --backgroundScanWorkers=2
            - --backgroundScanInterval=1h
            - --skipResourceFilters=true
            - --enableConfigMapCaching=true
            - --enableDeferredLoading=true
            - --loggingFormat=text
            - --v=2
            - --enablePolicyException=false
            - --reportsChunkSize=1000
            - --allowInsecureRegistry=false
            - --registryCredentialHelpers=default,google,amazon,azure,github
          env:
          - name: KYVERNO_SERVICEACCOUNT_NAME
            value: kyverno-reports-controller
          - name: KYVERNO_DEPLOYMENT
            value: kyverno-reports-controller
          - name: INIT_CONFIG
            value: kyverno
          - name: METRICS_CONFIG
            value: kyverno-metrics
          - name: KYVERNO_POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: KYVERNO_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: TUF_ROOT
            value: /.sigstore
          resources:
            limits:
              memory: 128Mi
            requests:
              cpu: 100m
              memory: 64Mi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
          volumeMounts:
            - mountPath: /.sigstore
              name: sigstore
      volumes:
      - name: sigstore
        emptyDir: {}
---
apiVersion: batch/v1
kind: CronJob
metadata:
  name: kyverno-cleanup-admission-reports
  namespace: kyverno
  labels:
    app.kubernetes.io/component: cleanup
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
spec:
  schedule: "*/10 * * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 1
  jobTemplate:
    spec:
      template:
        metadata:
        spec:
          serviceAccountName: kyverno-cleanup-jobs
          containers:
          - name: cleanup
            image: "bitnami/kubectl:1.26.4"
            imagePullPolicy: 
            command:
            - /bin/sh
            - -c
            - |
              COUNT=$(kubectl get admissionreports.kyverno.io -A | wc -l)
              if [ "$COUNT" -gt 10000 ]; then
                echo "too many reports found ($COUNT), cleaning up..."
                kubectl delete admissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
              else
                echo "($COUNT) reports found, no clean up needed"
              fi
            securityContext:
              allowPrivilegeEscalation: false
              capabilities:
                drop:
                - ALL
              privileged: false
              readOnlyRootFilesystem: true
              runAsNonRoot: true
              seccompProfile:
                type: RuntimeDefault
          restartPolicy: OnFailure
---
apiVersion: batch/v1
kind: CronJob
metadata:
  name: kyverno-cleanup-cluster-admission-reports
  namespace: kyverno
  labels:
    app.kubernetes.io/component: cleanup
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
spec:
  schedule: "*/10 * * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 1
  jobTemplate:
    spec:
      template:
        metadata:
        spec:
          serviceAccountName: kyverno-cleanup-jobs
          containers:
          - name: cleanup
            image: "bitnami/kubectl:1.26.4"
            imagePullPolicy: 
            command:
            - /bin/sh
            - -c
            - |
              COUNT=$(kubectl get clusteradmissionreports.kyverno.io -A | wc -l)
              if [ "$COUNT" -gt 10000 ]; then
                echo "too many reports found ($COUNT), cleaning up..."
                kubectl delete clusteradmissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
              else
                echo "($COUNT) reports found, no clean up needed"
              fi
            securityContext:
              allowPrivilegeEscalation: false
              capabilities:
                drop:
                - ALL
              privileged: false
              readOnlyRootFilesystem: true
              runAsNonRoot: true
              seccompProfile:
                type: RuntimeDefault
          restartPolicy: OnFailure